CVE-2017-18214
Denial of Service vulnerability in moment (npm)
What is CVE-2017-18214 About?
This vulnerability affects `moment` library versions and is a low-severity regular expression denial of service (ReDoS). Parsing dates as strings can trigger the flaw, leading to resource exhaustion. An attacker can easily exploit this by providing a specially crafted date string.
Affected Software
Technical Details
The vulnerability in affected versions of the moment library (before 2.19.3) is a Regular Expression Denial of Service (ReDoS). This occurs when the application attempts to parse a specially crafted date string using a vulnerable regular expression. Certain input patterns can cause the regex engine to backtrack excessively, leading to an exponential time complexity in processing the input. This excessive computation consumes CPU resources, causing the application or service to become slow or unresponsive, effectively performing a denial of service.
What is the Impact of CVE-2017-18214?
Successful exploitation may allow attackers to exhaust system resources, leading to service degradation or complete denial of service.
What is the Exploitability of CVE-2017-18214?
Exploitation is generally low complexity, requiring an attacker to submit a specially crafted date string to an application that uses the vulnerable moment library for parsing. No authentication or special privileges are typically required. This is often a remote vulnerability, where the attacker can send the malicious string through a web form, API endpoint, or any other input mechanism that feeds into the date parsing logic. The primary condition is that the application uses the vulnerable moment library and processes untrusted string inputs as dates. The likelihood of exploitation increases if the application exposes date parsing functionality directly to users.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-18214?
About the Fix from Resolved Security
The patch for CVE-2017-18214 adds explicit length limits (maximum 256 characters) to the regular expression used for matching date words, preventing excessive backtracking and potential Regular Expression Denial of Service (ReDoS) attacks. By capping the input length, it mitigates the risk of attackers exploiting the regex to severely degrade application performance.
Available Upgrade Options
- moment
- <2.19.3 → Upgrade to 2.19.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/moment/moment/issues/4163
- https://github.com/moment/moment/pull/4326
- https://nvd.nist.gov/vuln/detail/CVE-2017-18214
- https://github.com/advisories/GHSA-446m-mv8f-q348
- https://www.tenable.com/security/tns-2019-02
- https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb
- https://github.com/moment/moment
- https://github.com/moment/moment/issues/4163
- https://www.tenable.com/security/tns-2019-02
- https://osv.dev/vulnerability/GHSA-446m-mv8f-q348
What are Similar Vulnerabilities to CVE-2017-18214?
Similar Vulnerabilities: CVE-2023-28155 , CVE-2021-23420 , CVE-2020-13936 , CVE-2018-3720 , CVE-2019-10744
