CVE-2016-4055
regular expression denial of service vulnerability in moment (npm)
What is CVE-2016-4055 About?
This vulnerability is a regular expression denial of service (ReDoS) affecting `moment.js` versions prior to 2.11.2. It is triggered when arbitrary user input is passed into `moment.duration()`, causing excessive processing and service disruption. Exploitation is easy, requiring only specially crafted input.
Affected Software
Technical Details
The vulnerability in moment.js versions prior to 2.11.2 is a regular expression denial of service (ReDoS). It arises when the moment.duration() function processes arbitrary user-controlled input that contains specific patterns. An inefficiently crafted regular expression within this function causes excessive backtracking when faced with certain input, leading to a significant and disproportionate increase in processing time. This 'catastrophic backtracking' consumes CPU resources, blocking the event loop and effectively rendering the application unresponsive, thus causing a denial of service.
What is the Impact of CVE-2016-4055?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected application or service unresponsive to legitimate users.
What is the Exploitability of CVE-2016-4055?
Exploitation is of low complexity. An attacker only needs to provide specially crafted input to an application that processes it using moment.duration() in a vulnerable version of the library. There are no specific authentication or privilege requirements. The attack is remote, as long as the application exposes an endpoint where user input is passed to moment.duration(). The primary risk factor is any application that uses vulnerable moment.js versions and processes untrusted input through this function, as the malicious string can easily trigger the ReDoS attack, blocking the application's event loop.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-4055?
About the Fix from Resolved Security
The patch changes the ASP.NET JSON date format regular expression to include start (^) and end ($) anchors, ensuring the entire string is validated and not just any substring match. This mitigates CVE-2016-4055, which allowed malicious input to bypass validation and potentially exploit code paths by embedding unexpected characters before or after a valid date substring.
Available Upgrade Options
- moment
- <2.11.2 → Upgrade to 2.11.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E
- https://www.npmjs.com/advisories/55
- https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E
- http://www.securityfocus.com/bid/95849
- https://www.tenable.com/security/tns-2019-02
- https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E
- https://osv.dev/vulnerability/GHSA-87vv-r9j6-g5qv
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
What are Similar Vulnerabilities to CVE-2016-4055?
Similar Vulnerabilities: CVE-2017-16114 , CVE-2017-15944 , CVE-2019-10741 , CVE-2020-28283 , CVE-2021-3918
