cbcvebase.
CVE-2022-31129
published 2022-07-06

CVE-2022-31129: moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient…

PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
3.95%
89.1th percentile
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Affected

16 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiannode-moment< node-moment 2.29.4+ds-1 (bookworm)node-moment 2.29.4+ds-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
momentluxon
momentluxon
momentluxon
momentmoment>= 2.18.0 < 2.29.42.29.4
momentjsluxon>= 1.0.0 < 1.28.11.28.1
momentjsluxon>= 2.0.0 < 2.5.22.5.2
momentjsluxon>= 3.0.0 < 3.2.13.2.1
momentjsmoment>= 2.18.0 < 2.29.42.29.4
postfixadminpostfixadmin>= 0 < 3.0.2-2ubuntu0.1~esm13.0.2-2ubuntu0.1~esm1
postfixadminpostfixadmin>= 0 < 3.2.1-3ubuntu0.1~esm13.2.1-3ubuntu0.1~esm1
postfixadminpostfixadmin>= 0 < 3.3.10-2ubuntu0.1~esm13.3.10-2ubuntu0.1~esm1

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv8.8HIGH
vendor_ubuntu8.8HIGH
vendor_debian7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.