Regular Expression Denial of Service (ReDoS) in moment/moment

Valid

Reported on

Jun 6th 2022


Description

Affected versions of the package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks for any string input controlled by the user.

An attacker can provide a specially crafted input to the default function moment(), which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack).

Proof of Concept

// PoC.js
moment=require('moment')
moment("(".repeat(50000)) // local execution time ~=0m1.6s
moment("(".repeat(500000)) // local execution time ~=8m49.741s

Expected behavior

Execution time has to be linear, not polynomial.

Impact

Any dependent pass user-controllable string inputs to package moment() could cause the denial of service attack. It happens in the default use of the package and potentially affects around 57,775 dependents (last access: June 7 2022).

We are processing your report and will contact the moment team within 24 hours. a year ago
Khang Vo (doublevkay) modified the report
a year ago
a year ago
Khang Vo (doublevkay) modified the report
a year ago
Khang Vo (doublevkay) modified the report
a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
Iskren Ivov Chernev validated this vulnerability a year ago
Khang Vo (doublevkay) has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Khang
a year ago

Researcher


Hey @Iskren (@maintainer), The fixed version has already been released. Could we fully disclose this report too?

Iskren Ivov Chernev marked this as fixed in 2.24.4 with commit 9a3b58 a year ago
Khang Vo (doublevkay) has been awarded the fix bounty
This vulnerability will not receive a CVE
from-string.js#L154 has been validated
Khang
a year ago

Researcher


Hi @admin, the vulnerability has been assigned CVE-31129. Could you help to change the CVE ID status of this report?

Jamie Slome
a year ago

Admin


Sorted 👍

to join this conversation