CVE-2022-31129 – moment

Package

Manager: npm
Name: moment
Vulnerable Version: >=2.18.0 <2.29.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03631 pctl0.8737

Details

Moment.js vulnerable to Inefficient Regular Expression Complexity ### Impact * using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs * noticeable slowdown is observed with inputs above 10k characters * users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks ### Patches The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. ### Workarounds In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities. ### References There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973= ### Details The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment("(".repeat(500000))` will take a few minutes to process, which is unacceptable.

Metadata

Created: 2022-07-06T18:38:49Z
Modified: 2022-09-14T19:29:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-wc69-rhjr-hc9g/GHSA-wc69-rhjr-hc9g.json
CWE IDs: ["CWE-1333", "CWE-400"]
Alternative ID: GHSA-wc69-rhjr-hc9g
Finding: F211
Auto approve: 1