CVE-2022-31129
Denial of Service vulnerability in moment (npm)
What is CVE-2022-31129 About?
The 'moment' library is vulnerable to a Regular Expression Denial of Service (ReDoS) due to quadratic complexity in its RFC2822 date string parsing. Maliciously crafted input strings to the moment constructor can cause significant processing delays, leading to a denial of service. Exploiting this is easy for an attacker who can provide unvalidated input strings.
Affected Software
- moment
- >2.18.0, <2.29.4
- Moment.js
- >2.18.0, <2.29.4
Technical Details
The vulnerability lies within the moment library, specifically in its RFC2822 date string parsing mechanism, which is attempted by default when a string is passed to the moment constructor. The code responsible for removing legacy comments (content within parentheses) from date strings exhibits quadratic (N^2) time complexity for certain crafted inputs. An attacker can provide a long string composed of repeating opening parentheses (e.g., moment("(".repeat(500000))). When the regex engine processes this input, it enters a state of catastrophic backtracking, causing an exponential increase in processing time relative to the input length. This resource exhaustion leads to a denial of service, making the application unresponsive. This is a common ReDoS pattern rooted in inefficient regular expression design.
What is the Impact of CVE-2022-31129?
Successful exploitation may allow attackers to cause a denial of service (DoS) condition, making the affected service unresponsive or unavailable to legitimate users.
What is the Exploitability of CVE-2022-31129?
Exploitation involves sending a specially crafted input string to an application that uses the 'moment' library to parse dates, particularly if it accepts untrusted user input without sanity length checks. This is a remote attack, and no authentication or special privileges are required. The complexity is low as it merely requires sending a long string of opening parentheses or similar patterns. The primary risk factor is applications that do not limit the length of user-provided date strings before passing them to the 'moment' constructor. The ease of exploitation is high, as the malicious payload is simple and effective.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-31129?
About the Fix from Resolved Security
This patch tightens the regex to match only non-nested parentheses when removing comments from date strings, preventing incorrect parsing. It fixes CVE-2022-31129 by mitigating a potential Regular Expression Denial of Service (ReDoS) vulnerability that could be exploited with crafted inputs.
Available Upgrade Options
- moment
- >2.18.0, <2.29.4 → Upgrade to 2.29.4
- Moment.js
- >2.18.0, <2.29.4 → Upgrade to 2.29.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/
- https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504
- https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html
- https://osv.dev/vulnerability/GHSA-wc69-rhjr-hc9g
- https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO
- https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/
- https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3
What are Similar Vulnerabilities to CVE-2022-31129?
Similar Vulnerabilities: CVE-2022-25883 , CVE-2022-25881 , CVE-2021-3918 , CVE-2021-42200 , CVE-2021-45061
