CVE-2023-22467
Summary
| CVE | CVE-2023-22467 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-01-04 22:15:00 UTC |
| Updated | 2023-01-17 17:17:00 UTC |
| Description | Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input. |
Risk And Classification
Problem Types: CWE-1333
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [bugfix] Fix redos in preprocessRFC2822 regex by vovikhangcdv · Pull Request #6015 · moment/moment · GitHub | MISC | github.com | |
| Inefficient regular expression complexity in luxon.js · Advisory · moment/luxon · GitHub | MISC | github.com | |
| fix rfc2822 regex · moment/luxon@5ab3bf6 · GitHub | MISC | github.com | |
| Inefficient Regular Expression Complexity in moment · Advisory · moment/moment · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.