Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-31129

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Published

2022-07-06T18:15:19.570

Last Modified

2024-11-21T07:03:57.430

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-400
Type: Primary
CWE-1333

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	momentjs	moment	< 2.29.4	Yes
Application	momentjs	moment	< 2.29.4	Yes
Operating System	fedoraproject	fedora	35	Yes
Operating System	fedoraproject	fedora	36	Yes
Operating System	fedoraproject	fedora	37	Yes
Operating System	debian	debian_linux	10.0	Yes

References

https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3 Patch, Third Party Advisory ([email protected])
https://github.com/moment/moment/pull/6015#issuecomment-1152961973 Exploit, Issue Tracking, Patch, Third Party Advisory ([email protected])
https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g Issue Tracking, Third Party Advisory ([email protected])
https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/ Exploit, Issue Tracking, Patch, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/ ([email protected])
https://security.netapp.com/advisory/ntap-20221014-0003/ Third Party Advisory ([email protected])
https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/moment/moment/pull/6015#issuecomment-1152961973 Exploit, Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/ Exploit, Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20221014-0003/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)