color-string

npm2 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting color-stringpage 1 of 1

CVE-2021-29060MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.5.5
2021-06-21
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
CVE-2025-59142HIGHCVSS 8.8EG 0.0
2025-09-15
vulnerable: 2.1.1
color-string is a parser and generator for CSS color strings. On 8 September 2025, the npm publishing account for color-string was taken over after a phishing attack. Version 2.1.1 was published, functionally identical to the previous patc…

Check whether color-string is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for color-string CVEs against the assets you own.

Start Free Scan →