CVE-2022-31129
published 2022-07-06CVE-2022-31129: moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
3.95%
89.1th percentile
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | node-moment | < node-moment 2.29.4+ds-1 (bookworm) | node-moment 2.29.4+ds-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| moment | luxon | — | — |
| moment | luxon | — | — |
| moment | luxon | — | — |
| moment | moment | >= 2.18.0 < 2.29.4 | 2.29.4 |
| momentjs | luxon | >= 1.0.0 < 1.28.1 | 1.28.1 |
| momentjs | luxon | >= 2.0.0 < 2.5.2 | 2.5.2 |
| momentjs | luxon | >= 3.0.0 < 3.2.1 | 3.2.1 |
| momentjs | moment | >= 2.18.0 < 2.29.4 | 2.29.4 |
| postfixadmin | postfixadmin | >= 0 < 3.0.2-2ubuntu0.1~esm1 | 3.0.2-2ubuntu0.1~esm1 |
| postfixadmin | postfixadmin | >= 0 < 3.2.1-3ubuntu0.1~esm1 | 3.2.1-3ubuntu0.1~esm1 |
| postfixadmin | postfixadmin | >= 0 < 3.3.10-2ubuntu0.1~esm1 | 3.3.10-2ubuntu0.1~esm1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv8.8HIGH
vendor_ubuntu8.8HIGH
vendor_debian7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Food and Beverage Applications Risk Matrix: Engagement (Moment.js) — CVE-2022-31129
vendor_oracle·2024-10-15·CVSS 7.5
CVE-2022-31129 [HIGH] Oracle Oracle Food and Beverage Applications Risk Matrix: Engagement (Moment.js) — CVE-2022-31129
Oracle Oracle Food and Beverage Applications Risk Matrix: Engagement (Moment.js) vulnerability
CVE: CVE-2022-31129
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2024 (OCT 2024)
Ubuntu
PostfixAdmin vulnerabilities
vendor_ubuntu·2023-12-12·CVSS 8.8
CVE-2022-31129 [HIGH] PostfixAdmin vulnerabilities
Title: PostfixAdmin vulnerabilities
Summary: Several security issues were fixed in PostfixAdmin.
It was discovered that Smarty, that is integrated in the PostfixAdmin
code, was not properly sanitizing user input when generating templates. An
attacker could, through PHP injection, possibly use this issue to execute
arbitrary code. (CVE-2022-29221)
It was discovered that Moment.js, that is integrated in the PostfixAdmin
code, was using an inefficient parsing algorithm when processing date
strings in the RFC 2822 standard. An attacker could possibly use this
issue to cause a denial of service. This issue only affected Ubuntu 22.04
LTS. (CVE-2022-31129)
It was discovered that Smarty, that is integrated in the PostfixAdmin
code, was not properly escaping JavaScript code. An attacker could
p
Oracle
Oracle Oracle Utilities Applications Risk Matrix: General (Moment.js) — CVE-2022-31129
vendor_oracle·2023-10-15·CVSS 7.5
CVE-2022-31129 [HIGH] Oracle Oracle Utilities Applications Risk Matrix: General (Moment.js) — CVE-2022-31129
Oracle Oracle Utilities Applications Risk Matrix: General (Moment.js) vulnerability
CVE: CVE-2022-31129
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2023 (OCT 2023)
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: IDM - Authentication (Moment.js) — CVE-2022-31129
vendor_oracle·2023-07-15·CVSS 7.5
CVE-2022-31129 [HIGH] Oracle Oracle Financial Services Applications Risk Matrix: IDM - Authentication (Moment.js) — CVE-2022-31129
Oracle Oracle Financial Services Applications Risk Matrix: IDM - Authentication (Moment.js) vulnerability
CVE: CVE-2022-31129
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2023 (JUL 2023)
Oracle
Oracle Oracle Communications Risk Matrix: Third Party (Moment.js) — CVE-2022-31129
vendor_oracle·2023-04-15·CVSS 7.5
CVE-2022-31129 [HIGH] Oracle Oracle Communications Risk Matrix: Third Party (Moment.js) — CVE-2022-31129
Oracle Oracle Communications Risk Matrix: Third Party (Moment.js) vulnerability
CVE: CVE-2022-31129
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2023 (APR 2023)
Oracle
Oracle Oracle Communications Risk Matrix: Install/Upgrade (Moment.js) — CVE-2022-31129
vendor_oracle·2023-01-15·CVSS 7.5
CVE-2022-31129 [HIGH] Oracle Oracle Communications Risk Matrix: Install/Upgrade (Moment.js) — CVE-2022-31129
Oracle Oracle Communications Risk Matrix: Install/Upgrade (Moment.js) vulnerability
CVE: CVE-2022-31129
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2023 (JAN 2023)
Red Hat
luxon: Inefficient regular expression complexity in luxon.js
vendor_redhat·2023-01-04·CVSS 7.5
CVE-2023-22467 [HIGH] CWE-1333 luxon: Inefficient regular expression complexity in luxon.js
luxon: Inefficient regular expression complexity in luxon.js
Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.
A flaw was found in the luxon package, resulting in a regular expression denial of service. This issue could allow an attacker to craft and supply in
Oracle
Oracle Oracle Communications Applications Risk Matrix: Billing Care (Moment.js) — CVE-2022-31129
vendor_oracle·2022-10-15·CVSS 7.5
CVE-2022-31129 [HIGH] Oracle Oracle Communications Applications Risk Matrix: Billing Care (Moment.js) — CVE-2022-31129
Oracle Oracle Communications Applications Risk Matrix: Billing Care (Moment.js) vulnerability
CVE: CVE-2022-31129
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2022 (OCT 2022)
Ubuntu
Moment.js vulnerabilities
vendor_ubuntu·2022-08-10·CVSS 7.5
CVE-2022-31129 [HIGH] Moment.js vulnerabilities
Title: Moment.js vulnerabilities
Summary: Several security issues were fixed in Moment.js.
It was discovered that Moment.js incorrectly handled certain input paths. An
attacker could possibly use this issue to cause a loss of integrity by
changing the correct path to one of their choice. (CVE-2022-24785)
It was discovered that Moment.js incorrectly handled certain input. An attacker
could possibly use this issue to cause a denial of service. (CVE-2022-31129)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
moment: inefficient parsing algorithm resulting in DoS
vendor_redhat·2022-07-06·CVSS 7.5
CVE-2022-31129 [HIGH] CWE-400 moment: inefficient parsing algorithm resulting in DoS
moment: inefficient parsing algorithm resulting in DoS
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date le
Debian
CVE-2022-31129: node-moment - moment is a JavaScript date library for parsing, validating, manipulating, and f...
vendor_debian·2022·CVSS 7.5
CVE-2022-31129 [HIGH] CVE-2022-31129: node-moment - moment is a JavaScript date library for parsing, validating, manipulating, and f...
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Scope: local
bookworm: r
OSV
postfixadmin vulnerabilities
osv·2023-12-12·CVSS 8.8
CVE-2022-29221 [HIGH] postfixadmin vulnerabilities
postfixadmin vulnerabilities
It was discovered that Smarty, that is integrated in the PostfixAdmin
code, was not properly sanitizing user input when generating templates. An
attacker could, through PHP injection, possibly use this issue to execute
arbitrary code. (CVE-2022-29221)
It was discovered that Moment.js, that is integrated in the PostfixAdmin
code, was using an inefficient parsing algorithm when processing date
strings in the RFC 2822 standard. An attacker could possibly use this
issue to cause a denial of service. This issue only affected Ubuntu 22.04
LTS. (CVE-2022-31129)
It was discovered that Smarty, that is integrated in the PostfixAdmin
code, was not properly escaping JavaScript code. An attacker could
possibly use this issue to conduct cross-site scripting attacks (XSS).
OSV
node-moment vulnerabilities
osv·2022-08-10·CVSS 7.5
CVE-2022-24785 [HIGH] node-moment vulnerabilities
node-moment vulnerabilities
It was discovered that Moment.js incorrectly handled certain input paths. An
attacker could possibly use this issue to cause a loss of integrity by
changing the correct path to one of their choice. (CVE-2022-24785)
It was discovered that Moment.js incorrectly handled certain input. An attacker
could possibly use this issue to cause a denial of service. (CVE-2022-31129)
OSV
Moment.js vulnerable to Inefficient Regular Expression Complexity
osv·2022-07-06
CVE-2022-31129 [HIGH] Moment.js vulnerable to Inefficient Regular Expression Complexity
Moment.js vulnerable to Inefficient Regular Expression Complexity
### Impact
* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs
* noticeable slowdown is observed with inputs above 10k characters
* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks
### Patches
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.
### Workarounds
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment
OSV
CVE-2022-31129: moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates
osv·2022-07-06·CVSS 7.5
CVE-2022-31129 [HIGH] CVE-2022-31129: moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
GHSA
Moment.js vulnerable to Inefficient Regular Expression Complexity
ghsa·2022-07-06
CVE-2022-31129 [HIGH] CWE-1333 Moment.js vulnerable to Inefficient Regular Expression Complexity
Moment.js vulnerable to Inefficient Regular Expression Complexity
### Impact
* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs
* noticeable slowdown is observed with inputs above 10k characters
* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks
### Patches
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.
### Workarounds
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment
No detection rules found.
No public exploits indexed.
Qualys
Detecting Vulnerabilities in JavaScript Libraries: jQuery & Bootstrap | Qualys
blogs_qualys·2023-01-16
Detecting Vulnerabilities in JavaScript Libraries: jQuery & Bootstrap | Qualys
#### Table of Contents
- JavaScript Frameworks
- Detecting JavaScript Library Vulnerabilities with Qualys WAS
- Solution
- Contributors
JavaScript is a popular programming language which is an integral component while developing interactive and dynamic web applications. It allows developers to create engaging and responsive user interfaces, handling complex web page elements, enhancing the overall functionality of the application. According to W3Techs statistics, 98% of all the websites use JavaScript as client-side programming language.
To further simplify the web development process and make it efficient, Web developers frequently use JavaScript library, a collection of pre-written JavaScript codes that can be easily integrated with application projects. These libraries can provide a
Qualys
Detection of Vulnerabilities in JavaScript Libraries
blogs_qualys·2023-01-16
Detection of Vulnerabilities in JavaScript Libraries
## Table of Contents
JavaScript Frameworks
Detecting JavaScript Library Vulnerabilities with Qualys WAS
Solution
Contributors
JavaScript is a popular programming language which is an integral component while developing interactive and dynamic web applications. It allows developers to create engaging and responsive user interfaces, handling complex web page elements, enhancing the overall functionality of the application. According to W3Techs statistics , 98% of all the websites use JavaScript as client-side programming language.
To further simplify the web development process and make it efficient, Web developers frequently use JavaScript library, a collection of pre-written JavaScript codes that can be easily integrated with application projects. These libraries can provide a variet
arXiv
Insecure Ingredients? Exploring Dependency Update Patterns of Bundled JavaScript Packages on the Web
arxiv_fulltext·2026-01-23
Insecure Ingredients? Exploring Dependency Update Patterns of Bundled JavaScript Packages on the Web
Insecure Ingredients? Exploring Dependency Update Patterns of Bundled JavaScript Packages on the Web
Ben Swierzy
[email protected]
0009-0003-0485-4791
Fraunhofer FKIE
University of Bonn
Bonn
Germany
Marc Ohm
[email protected]
0000-0002-2913-5270
University of Bonn
Fraunhofer FKIE
Bonn
Germany
Michael Meier
[email protected]
0009-0006-8199-5004
University of Bonn
Fraunhofer FKIE
Bonn
Germany
Swierzy et al.
## Abstract
Reusable software components, typically distributed as packages, are a central paradigm of modern software development.
The JavaScript ecosystem serves as a prime example, offering millions of packages with their use being promoted as idiomatic.
However, download statistics on npm raise security concerns as they indicate a high popularity of vulnerable package
HackerOne
[nextcloud/server] Moment.js vulnerable to Inefficient Regular Expression Complexity
hackerone·2022-12-09
[nextcloud/server] Moment.js vulnerable to Inefficient Regular Expression Complexity
[nextcloud/server] Moment.js vulnerable to Inefficient Regular Expression Complexity
## Describe the bugs: 🐛
moment is a lightweight JavaScript date library for parsing, validating, manipulating, and formatting dates. affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the preprocessRFC2822() function in from-string.js, when processing a very long crafted string (over 10k characters).
**PoC:**
```javascript
moment("(".repeat(500000))
```
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed D
https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3https://github.com/moment/moment/pull/6015#issuecomment-1152961973https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9ghttps://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/https://lists.debian.org/debian-lts-announce/2023/01/msg00035.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/https://security.netapp.com/advisory/ntap-20221014-0003/https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3https://github.com/moment/moment/pull/6015#issuecomment-1152961973https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9ghttps://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/https://lists.debian.org/debian-lts-announce/2023/01/msg00035.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/https://security.netapp.com/advisory/ntap-20221014-0003/https://security.netapp.com/advisory/ntap-20241108-0002/
2022-07-06
Published