{"api_version":"1","generated_at":"2026-04-23T01:14:59+00:00","cve":"CVE-2022-31129","urls":{"html":"https://cve.report/CVE-2022-31129","api":"https://cve.report/api/cve/CVE-2022-31129.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-31129","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-31129"},"summary":{"title":"CVE-2022-31129","description":"moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-07-06 18:15:00","updated_at":"2023-11-07 03:47:00"},"problem_types":["CWE-1333"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/","name":"FEDORA-2022-798fd95813","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: subscription-manager-cockpit-4-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g","name":"https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g","refsource":"CONFIRM","tags":[],"title":"Inefficient Regular Expression Complexity in moment · Advisory · moment/moment · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/","name":"FEDORA-2022-85aa8e5706","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: python-notebook-6.4.0-4.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/moment/moment/pull/6015#issuecomment-1152961973","name":"https://github.com/moment/moment/pull/6015#issuecomment-1152961973","refsource":"MISC","tags":[],"title":"[bugfix] Fix redos in preprocessRFC2822 regex by vovikhangcdv · Pull Request #6015 · moment/moment · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/","name":"FEDORA-2022-798fd95813","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: subscription-manager-cockpit-4-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html","name":"[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3295-1] node-moment security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/","name":"FEDORA-2022-b9ef7c3c3c","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: subscription-manager-cockpit-4-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/","name":"FEDORA-2022-35b698150c","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: python-notebook-6.4.11-3.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/","name":"https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/","refsource":"MISC","tags":[],"title":"Regular Expression Denial of Service (ReDoS)  vulnerability found in moment","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20221014-0003/","name":"https://security.netapp.com/advisory/ntap-20221014-0003/","refsource":"CONFIRM","tags":[],"title":"CVE-2022-31129 Node.js Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3","name":"https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3","refsource":"MISC","tags":[],"title":"[bugfix] Fix redos in preprocessRFC2822 regex (#6015) · moment/moment@9a3b589 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/","name":"FEDORA-2022-85aa8e5706","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: python-notebook-6.4.0-4.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/","name":"FEDORA-2022-35b698150c","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: python-notebook-6.4.11-3.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/","name":"FEDORA-2022-b9ef7c3c3c","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: subscription-manager-cockpit-4-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-31129","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31129","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"31129","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"31129","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"31129","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"31129","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"31129","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"momentjs","cpe5":"moment","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"31129","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"momentjs","cpe5":"moment","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"nuget","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-31129","qid":"181017","title":"Debian Security Update for node-moment (CVE-2022-31129)"},{"cve":"CVE-2022-31129","qid":"181530","title":"Debian Security Update for node-moment (DLA 3295-1)"},{"cve":"CVE-2022-31129","qid":"198899","title":"Ubuntu Security Notification for Moment.js Vulnerabilities (USN-5559-1)"},{"cve":"CVE-2022-31129","qid":"199998","title":"Ubuntu Security Notification for PostfixAdmin Vulnerabilities (USN-6550-1)"},{"cve":"CVE-2022-31129","qid":"241726","title":"Red Hat Update for red hat ceph storage 6.1 (RHSA-2023:3623)"},{"cve":"CVE-2022-31129","qid":"282965","title":"Fedora Security Update for python (FEDORA-2022-35b698150c)"},{"cve":"CVE-2022-31129","qid":"282966","title":"Fedora Security Update for python (FEDORA-2022-85aa8e5706)"},{"cve":"CVE-2022-31129","qid":"283088","title":"Fedora Security Update for subscription (FEDORA-2022-b9ef7c3c3c)"},{"cve":"CVE-2022-31129","qid":"285305","title":"Fedora Security Update for python (FEDORA-2023-3256575fc8)"},{"cve":"CVE-2022-31129","qid":"377909","title":"Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUJAN2023)"},{"cve":"CVE-2022-31129","qid":"378004","title":"Splunk Enterprise Multiple Vulnerabilities (SVD-2023-0215,SVD-2023-0211,SVD-2023-0208)"},{"cve":"CVE-2022-31129","qid":"378599","title":"Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)"},{"cve":"CVE-2022-31129","qid":"378883","title":"Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)"},{"cve":"CVE-2022-31129","qid":"691087","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for mantis (bed545c6-bdb8-11ed-bca8-a33124f1beb1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-31129","STATE":"PUBLIC","TITLE":"Inefficient Regular Expression Complexity in moment"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"moment","version":{"version_data":[{"version_value":" >= 2.18.0, < 2.29.4"}]}}]},"vendor_name":"moment"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-400: Uncontrolled Resource Consumption"}]}]},"references":{"reference_data":[{"name":"https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g","refsource":"CONFIRM","url":"https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"},{"name":"https://github.com/moment/moment/pull/6015#issuecomment-1152961973","refsource":"MISC","url":"https://github.com/moment/moment/pull/6015#issuecomment-1152961973"},{"name":"https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3","refsource":"MISC","url":"https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3"},{"name":"https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/","refsource":"MISC","url":"https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/"},{"refsource":"FEDORA","name":"FEDORA-2022-85aa8e5706","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/"},{"refsource":"FEDORA","name":"FEDORA-2022-35b698150c","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/"},{"refsource":"FEDORA","name":"FEDORA-2022-b9ef7c3c3c","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/"},{"refsource":"FEDORA","name":"FEDORA-2022-798fd95813","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20221014-0003/","url":"https://security.netapp.com/advisory/ntap-20221014-0003/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html"}]},"source":{"advisory":"GHSA-wc69-rhjr-hc9g","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-07-06 18:15:00","lastModifiedDate":"2023-11-07 03:47:00","problem_types":["CWE-1333"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:momentjs:moment:*:*:*:*:*:nuget:*:*","versionStartIncluding":"2.18.0","versionEndExcluding":"2.29.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:momentjs:moment:*:*:*:*:*:node.js:*:*","versionStartIncluding":"2.18.0","versionEndExcluding":"2.29.4","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}