Regular Expression Denial of Service (ReDoS) in moment/moment
Jun 6th 2022
Affected versions of the package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks for any string input controlled by the user.
An attacker can provide a specially crafted input to the default function
moment(), which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack).
Proof of Concept
// PoC.js moment=require('moment') moment("(".repeat(50000)) // local execution time ~=0m1.6s moment("(".repeat(500000)) // local execution time ~=8m49.741s
Execution time has to be linear, not polynomial.
Any dependent pass user-controllable string inputs to package moment() could cause the denial of service attack. It happens in the default use of the package and potentially affects around 57,775 dependents (last access: June 7 2022).