CVE-2023-22467

luxon.js inefficient regular expression complexity vulnerability

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.

Luxon es una librería para trabajar con fechas y horas en JavaScript. En la rama 1.x anterior a 1.38.1, la rama 2.x anterior a 2.5.2 y la rama 3.x en 3.2.1, `DateTime.fromRFC2822() de Luxon tiene complejidad cuadrática (N^2) en algunas entradas específicas. Esto provoca una notable desaceleración en las entradas con longitudes superiores a 10 000 caracteres. Por lo tanto, los usuarios que proporcionan datos no confiables a este método son vulnerables a ataques (Re)DoS. Este problema también aparece en Moment como CVE-2022-31129. Las versiones 1.38.1, 2.5.2 y 3.2.1 contienen parches para este problema. Como workaround, limite la longitud de la entrada.

A flaw was found in the luxon package, resulting in a regular expression denial of service. This issue could allow an attacker to craft and supply inputs above 10k characters, causing a denial of service.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-12-29 CVE Reserved
2023-01-04 CVE Published
2024-08-02 CVE Updated
2024-08-25 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-1333: Inefficient Regular Expression Complexity

CAPEC

References (8)

URL	Tag	Source
https://github.com/moment/luxon/security/advisories/GHSA-3xq5-wjfh-ppjc	Third Party Advisory
https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g	Not Applicable
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44I3WAJKYXDLOVYRGMHAUXMIV4SPFXDZ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LIVOASKBQH7FEUI5RWM3SOHR6VK7ZZR

URL	Date	SRC

URL	Date	SRC
https://github.com/moment/luxon/commit/5ab3bf64a10da929a437629cdb2f059bb83212bf	2024-02-12
https://github.com/moment/moment/pull/6015#issuecomment-1152961973	2024-02-12

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-22467	2023-02-07
https://bugzilla.redhat.com/show_bug.cgi?id=2159959	2023-02-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Momentjs Search vendor "Momentjs"		Luxon Search vendor "Momentjs" for product "Luxon"				>= 1.0.0 < 1.28.1 Search vendor "Momentjs" for product "Luxon" and version " >= 1.0.0 < 1.28.1"		node.js		Affected
Momentjs Search vendor "Momentjs"		Luxon Search vendor "Momentjs" for product "Luxon"				>= 2.0.0 < 2.5.2 Search vendor "Momentjs" for product "Luxon" and version " >= 2.0.0 < 2.5.2"		node.js		Affected
Momentjs Search vendor "Momentjs"		Luxon Search vendor "Momentjs" for product "Luxon"				>= 3.0.0 < 3.2.1 Search vendor "Momentjs" for product "Luxon" and version " >= 3.0.0 < 3.2.1"		node.js		Affected