7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
68.6%
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven’t seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.
There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000))
will take a few minutes to process, which is unacceptable.
github.com/advisories/GHSA-wc69-rhjr-hc9g
github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3
github.com/moment/moment/pull/6015#issuecomment-1152961973
github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4
github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe
github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504
github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/
lists.debian.org/debian-lts-announce/2023/01/msg00035.html
lists.fedoraproject.org/archives/list/[email protected]/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/
lists.fedoraproject.org/archives/list/[email protected]/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/
lists.fedoraproject.org/archives/list/[email protected]/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/
lists.fedoraproject.org/archives/list/[email protected]/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/
nvd.nist.gov/vuln/detail/CVE-2022-31129
security.netapp.com/advisory/ntap-20221014-0003/
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
68.6%