I got a notification on a few of my older repos that three.js has a Denial of Service vulnerability. What does this mean? Does this put my sites at risk of a DDoS attack? I see that it was fixed in Jan so I can fix it by updating to >= r125 but I’d rather not worry about it unless I really have to.
1 Like
Heh I got about 20 emails the other day about the same thing. I think in practice the vulnerability isn’t a huge deal in most cases. The way it’s phrased it seems to assume that whatever the package is with the vulnerability is being used in node on a server which three.js often is not. I suppose if you’re using three.js in node a user sends a long and invalid color string through a REST endpoint it could end up taking down your server but otherwise it doesn’t seem worth sweating about. If you’re just running three.js in a browser like most do then the worst thing a user could do is lock up their own window.
That’s my impression of the issue, at least. I’m not racing to update all my demos and I’m not running three.js in node anywhere that takes user input from an end point and stuffs it into three.
4 Likes
Thanks for explaining the vulnerability! I wish it weren’t labeled as high severity, given the low likelihood that this specific scenario would ever take place. It should be an NPM warning or something less intrusive and alarming. 