Vulnerability Details : CVE-2022-31129
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Vulnerability category: Denial of service
Products affected by CVE-2022-31129
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:a:momentjs:moment:*:*:*:*:*:nuget:*:*
- cpe:2.3:a:momentjs:moment:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31129
0.76%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31129
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
GitHub, Inc. | |
7.5
|
HIGH | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
N/A
|
N/A
|
Oracle:CPUOct2023 |
CWE ids for CVE-2022-31129
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: security-advisories@github.com (Secondary)
-
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-31129
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/
[SECURITY] Fedora 36 Update: subscription-manager-cockpit-4-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
Inefficient Regular Expression Complexity in moment · Advisory · moment/moment · GitHubIssue Tracking;Third Party Advisory
-
https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/
Regular Expression Denial of Service (ReDoS) vulnerability found in momentExploit;Issue Tracking;Patch;Third Party Advisory
-
https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3
[bugfix] Fix redos in preprocessRFC2822 regex (#6015) · moment/moment@9a3b589 · GitHubPatch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html
[SECURITY] [DLA 3295-1] node-moment security updateMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/
[SECURITY] Fedora 36 Update: python-notebook-6.4.11-3.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/
[SECURITY] Fedora 37 Update: subscription-manager-cockpit-4-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/moment/moment/pull/6015#issuecomment-1152961973
[bugfix] Fix redos in preprocessRFC2822 regex by vovikhangcdv · Pull Request #6015 · moment/moment · GitHubExploit;Issue Tracking;Patch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20221014-0003/
CVE-2022-31129 Node.js Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/
[SECURITY] Fedora 35 Update: python-notebook-6.4.0-4.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to