Inefficient Regular Expression Complexity in moment

Cx62f5bb1b-fa5e

moment
Moment.js
org.webjars.bower:moment
org.webjars.npm:moment

High

7.5/10

Summary

A Regular Expression Denial of Service (ReDoS) in moment 2.18 through 2.29.3 makes the server unavailable when a specially crafted input is provided to the default function "moment()", which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-1333 - Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References

Issue
Pull request
Advisory

Advisory Timeline

Published Jun 07, 2022

Inefficient Regular Expression Complexity in moment

Cx62f5bb1b-fa5e

Summary

CWE-1333 - Inefficient Regular Expression Complexity

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS