// For flags

CVE-2023-22467

luxon.js inefficient regular expression complexity vulnerability

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.

Luxon es una librería para trabajar con fechas y horas en JavaScript. En la rama 1.x anterior a 1.38.1, la rama 2.x anterior a 2.5.2 y la rama 3.x en 3.2.1, `DateTime.fromRFC2822() de Luxon tiene complejidad cuadrática (N^2) en algunas entradas específicas. Esto provoca una notable desaceleración en las entradas con longitudes superiores a 10 000 caracteres. Por lo tanto, los usuarios que proporcionan datos no confiables a este método son vulnerables a ataques (Re)DoS. Este problema también aparece en Moment como CVE-2022-31129. Las versiones 1.38.1, 2.5.2 y 3.2.1 contienen parches para este problema. Como workaround, limite la longitud de la entrada.

A flaw was found in the luxon package, resulting in a regular expression denial of service. This issue could allow an attacker to craft and supply inputs above 10k characters, causing a denial of service.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-12-29 CVE Reserved
  • 2023-01-04 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-08-25 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-1333: Inefficient Regular Expression Complexity
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Momentjs
Search vendor "Momentjs"
Luxon
Search vendor "Momentjs" for product "Luxon"
>= 1.0.0 < 1.28.1
Search vendor "Momentjs" for product "Luxon" and version " >= 1.0.0 < 1.28.1"
node.js
Affected
Momentjs
Search vendor "Momentjs"
Luxon
Search vendor "Momentjs" for product "Luxon"
>= 2.0.0 < 2.5.2
Search vendor "Momentjs" for product "Luxon" and version " >= 2.0.0 < 2.5.2"
node.js
Affected
Momentjs
Search vendor "Momentjs"
Luxon
Search vendor "Momentjs" for product "Luxon"
>= 3.0.0 < 3.2.1
Search vendor "Momentjs" for product "Luxon" and version " >= 3.0.0 < 3.2.1"
node.js
Affected