Description
All versions of package dat.gui are vulnerable to Regular Expression Denial of Service (ReDoS) via specifically crafted rgb and rgba values.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 0.7.7
References
Related Issues
- jQuery vulnerable to Cross-Site Scripting (XSS) - CVE-2011-4969
- min-document vulnerable to prototype pollution - CVE-2025-57352
- Remote code execution via the `pretty` option. - CVE-2021-21353
- Vite bypasses server.fs.deny when using ?raw?? - CVE-2025-30208
- Tags:
- npm
- dat.gui
Anything's wrong? Let us know Last updated on February 01, 2023