CVE-2016-4055 — Uncontrolled Resource Consumption in Moment
CWE-400 — Uncontrolled Resource ConsumptionCWE-185 — Incorrect Regular Expression13 documents9 sources
Severity
6.5MEDIUMNVD
EPSS
2.7%
top 14.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 23
Latest updateMar 15
Description
The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6
Affected Packages4 packages
Patches
🔴Vulnerability Details
4📋Vendor Advisories
5Microsoft▶
The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string a different vulnerability than CVE-2016-4055.↗2018-03-13
Debian▶
CVE-2016-4055: node-moment - The duration function in the moment package before 2.11.2 for Node.js allows rem...↗2016