7.5
CWE
1333 400
Advisory Published
Advisory Published
Updated

CVE-2022-31129: Inefficient Regular Expression Complexity in moment

First published: Wed Jul 06 2022(Updated: )

### Impact * using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs * noticeable slowdown is observed with inputs above 10k characters * users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks ### Patches The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. ### Workarounds In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities. ### References There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973= ### Details The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment("(".repeat(500000))` will take a few minutes to process, which is unacceptable.

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Momentjs Moment>=2.18.0<2.29.4
Momentjs Moment>=2.18.0<2.29.4
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Fedoraproject Fedora=37
Debian Debian Linux=10.0
redhat/servicemesh-prometheus<0:2.14.0-18.el8.1
0:2.14.0-18.el8.1
redhat/servicemesh-prometheus<0:2.23.0-9.el8
0:2.23.0-9.el8
redhat/ceph<2:17.2.6-70.el9c
2:17.2.6-70.el9c
redhat/grafana<0:5.2.4-6.el7
0:5.2.4-6.el7
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el7
0:18.0.6-1.redhat_00001.1.el7
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el8
0:18.0.6-1.redhat_00001.1.el8
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el9
0:18.0.6-1.redhat_00001.1.el9
redhat/cockpit-ovirt<0:0.16.2-1.el8e
0:0.16.2-1.el8e
redhat/ovirt-engine-ui-extensions<0:1.3.5-1.el8e
0:1.3.5-1.el8e
nuget/Moment.js>=2.18.0<2.29.4
2.29.4
npm/moment>=2.18.0<2.29.4
2.29.4
redhat/moment<2.29.4
2.29.4
IBM Cognos Analytics<=12.0.0-12.0.2
IBM Cognos Analytics<=11.2.0-11.2.4 FP3
debian/node-moment
2.29.1+ds-2+deb11u2
2.29.4+ds-1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Reference Links

Frequently Asked Questions

  • What is CVE-2022-31129?

    CVE-2022-31129 is a vulnerability in the Moment.js package that allows an attacker to craft a user-provided string that can cause the parsing algorithm to become inefficient, potentially leading to denial of service.

  • How does CVE-2022-31129 affect moment.js?

    CVE-2022-31129 affects affected versions of moment.js, specifically those that use an inefficient parsing algorithm when handling user-provided strings.

  • What is the severity of CVE-2022-31129?

    CVE-2022-31129 has a severity rating of high, with a CVSS score of 7.5.

  • How do I fix CVE-2022-31129?

    To fix CVE-2022-31129, upgrade to version 2.29.4 of the moment.js package.

  • Where can I find more information about CVE-2022-31129?

    More information about CVE-2022-31129 can be found in the following references: [GitHub Commit](https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3), [GitHub Pull Request](https://github.com/moment/moment/pull/6015#issuecomment-1152961973), [GitHub Security Advisory](https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g).

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203