CVE-2023-22467
Denial of Service vulnerability in luxon (npm)
What is CVE-2023-22467 About?
This vulnerability in Luxon's `DateTime.fromRFC2822()` exhibits quadratic complexity for specific inputs, leading to a noticeable slowdown. It enables attackers to perform a Regular Expression Denial of Service (ReDoS) attack by providing long, crafted inputs. Such attacks can render the application unresponsive, significantly impacting service availability.
Affected Software
- luxon
- >3.0.0, <3.2.1
- >2.0.0, <2.5.2
- >1.0.0, <1.28.1
Technical Details
The DateTime.fromRFC2822() function in Luxon possesses a quadratic time complexity (N^2) when processing certain types of inputs, particularly those of significant length (e.g., above 10,000 characters). This behavior is akin to a Regular Expression Denial of Service (ReDoS) attack, where a carefully constructed, extended input string causes the parsing algorithm to consume disproportionately large amounts of CPU time due to inefficient pattern matching or parsing logic. This resource exhaustion effectively denies service to legitimate users, as the application becomes unresponsive while processing the malicious input. The vulnerability is comparable to a known issue in Moment.js, indicating a similar underlying algorithmic inefficiency.
What is the Impact of CVE-2023-22467?
Successful exploitation may allow attackers to trigger a Denial of Service, causing applications to become unresponsive and affecting service availability.
What is the Exploitability of CVE-2023-22467?
Exploitation involves providing a specially crafted, lengthy input string to the DateTime.fromRFC2822() method. The complexity is low, primarily requiring knowledge of the specific input patterns that trigger the quadratic complexity. There are no authentication or special privilege requirements beyond the ability to supply input to this function. This can be exploited remotely if an application exposes functionality that passes user-controlled strings to DateTime.fromRFC2822(). The length of the input significantly increases the likelihood and severity of exploitation, as it directly impacts the quadratic processing time. The primary risk factor is the acceptance of untrusted, unbounded input to the vulnerable method.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-22467?
About the Fix from Resolved Security
The patch updates the regex in preprocessRFC2822 from /([^)])|[\n\t]/g to /([^()])|[\n\t]/g, disallowing nested parentheses matching. This prevents catastrophic backtracking and regular expression denial of service (ReDoS), fixing CVE-2023-22467 by ensuring maliciously crafted input with deeply nested parentheses can no longer trigger exponential execution time.
Available Upgrade Options
- luxon
- >1.0.0, <1.28.1 → Upgrade to 1.28.1
- luxon
- >2.0.0, <2.5.2 → Upgrade to 2.5.2
- luxon
- >3.0.0, <3.2.1 → Upgrade to 3.2.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/moment/moment/pull/6015#issuecomment-1152961973
- https://github.com/moment/luxon/security/advisories/GHSA-3xq5-wjfh-ppjc
- https://github.com/moment/luxon
- https://github.com/moment/luxon/commit/5ab3bf64a10da929a437629cdb2f059bb83212bf
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LIVOASKBQH7FEUI5RWM3SOHR6VK7ZZR
- https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44I3WAJKYXDLOVYRGMHAUXMIV4SPFXDZ
- https://nvd.nist.gov/vuln/detail/CVE-2023-22467
- https://osv.dev/vulnerability/GHSA-3xq5-wjfh-ppjc
- https://github.com/moment/luxon/security/advisories/GHSA-3xq5-wjfh-ppjc
What are Similar Vulnerabilities to CVE-2023-22467?
Similar Vulnerabilities: CVE-2020-28283 , CVE-2021-23437 , CVE-2021-23424 , CVE-2022-25916 , CVE-2022-25916
