CVE-2020-26289
Denial of Service vulnerability in date-and-time (npm)
What is CVE-2020-26289 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the `date-and-time` npm package. It allows attackers to cause a denial of service, making the affected application unresponsive or crash. Exploitation is relatively easy as it involves crafting a specific input that triggers the vulnerable regular expression.
Affected Software
Technical Details
The date-and-time npm package, in versions prior to 0.14.2, contains a flaw in its date and time parsing mechanism. Specifically, a regular expression used within the parsing logic is susceptible to ReDoS. An attacker can craft a specially malformed input string that, when processed by the vulnerable regular expression, causes it to enter a catastrophic backtracking state. This state consumes excessive CPU resources and processing time, leading to a denial of service condition for the application or server utilizing the date-and-time package.
What is the Impact of CVE-2020-26289?
Successful exploitation may allow attackers to disrupt services, make systems unresponsive, or cause resource exhaustion, leading to operational downtime and degraded performance.
What is the Exploitability of CVE-2020-26289?
Exploitation of this vulnerability is of low to medium complexity, requiring knowledge of regular expression vulnerabilities. There are no specific authentication or privilege requirements, as the attack typically occurs by providing malformed input to an application that uses the vulnerable package. It can be exploited remotely if the application processes user-supplied date/time strings. The primary risk factor is the application's exposure to untrusted input that is then processed by the date-and-time library.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-26289?
Available Upgrade Options
- date-and-time
- <0.14.2 → Upgrade to 0.14.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2020-26289
- https://www.npmjs.com/advisories/1592
- https://github.com/knowledgecode/date-and-time/security/advisories/GHSA-r92x-f52r-x54g
- https://www.npmjs.com/package/date-and-time
- https://github.com/knowledgecode/date-and-time/security/advisories/GHSA-r92x-f52r-x54g
- https://osv.dev/vulnerability/GHSA-r92x-f52r-x54g
- https://github.com/knowledgecode/date-and-time/commit/9e4b501eacddccc8b1f559fb414f48472ee17c2a
- https://github.com/knowledgecode/date-and-time/commit/9e4b501eacddccc8b1f559fb414f48472ee17c2a
- https://www.npmjs.com/package/date-and-time
What are Similar Vulnerabilities to CVE-2020-26289?
Similar Vulnerabilities: CVE-2023-28155 , CVE-2023-26116 , CVE-2023-38408 , CVE-2022-45136 , CVE-2022-26279
