GHSA-5w9c-rv96-fr7g: 
JavaScript vulnerability analysis and mitigation

The package colors.js after version 1.4.0 was affected by a critical vulnerability (CVE-2021-23567) that was deliberately introduced by its maintainer. The issue was discovered in January 2022 and involved an infinite loop in the americanFlag module that caused a Denial of Service (DoS) condition (GitHub Advisory, NVD).

The vulnerability was introduced through an infinite loop in the americanFlag module with the code for (let i = 666; i < Infinity; i++);. This implementation resulted in a high-severity issue with a CVSS v3.1 base score of 7.5. The vulnerability affects all versions after 1.4.0, including version 1.4.44-liberty-2 (Snyk, GitHub Advisory).

The vulnerability results in a Denial of Service (DoS) condition that makes the package completely unusable. When triggered, it causes total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component. This impact is particularly severe as it affects any application depending on the colors package (Snyk).

The recommended mitigation is to pin the dependency to version 1.4.0, as there are no patched versions available. This was a deliberate action by the maintainer, and other maintainers' controls over the package were revoked to prevent fixes (Snyk).

The incident gained significant attention as it appeared to be a deliberate attempt by the maintainer to make the package unusable. The maintainer's actions included revoking other maintainers' access to prevent them from fixing the issue. This event was related to a similar incident with the faker.js package, highlighting concerns about the security and maintenance of popular open-source packages (GitHub Advisory).