CVE-2023-22467
luxon.js inefficient regular expression complexity vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.
Luxon es una librería para trabajar con fechas y horas en JavaScript. En la rama 1.x anterior a 1.38.1, la rama 2.x anterior a 2.5.2 y la rama 3.x en 3.2.1, `DateTime.fromRFC2822() de Luxon tiene complejidad cuadrática (N^2) en algunas entradas específicas. Esto provoca una notable desaceleración en las entradas con longitudes superiores a 10 000 caracteres. Por lo tanto, los usuarios que proporcionan datos no confiables a este método son vulnerables a ataques (Re)DoS. Este problema también aparece en Moment como CVE-2022-31129. Las versiones 1.38.1, 2.5.2 y 3.2.1 contienen parches para este problema. Como workaround, limite la longitud de la entrada.
A flaw was found in the luxon package, resulting in a regular expression denial of service. This issue could allow an attacker to craft and supply inputs above 10k characters, causing a denial of service.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-12-29 CVE Reserved
- 2023-01-04 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-25 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-1333: Inefficient Regular Expression Complexity
CAPEC
References (8)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/moment/luxon/commit/5ab3bf64a10da929a437629cdb2f059bb83212bf | 2024-02-12 | |
https://github.com/moment/moment/pull/6015#issuecomment-1152961973 | 2024-02-12 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2023-22467 | 2023-02-07 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2159959 | 2023-02-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Momentjs Search vendor "Momentjs" | Luxon Search vendor "Momentjs" for product "Luxon" | >= 1.0.0 < 1.28.1 Search vendor "Momentjs" for product "Luxon" and version " >= 1.0.0 < 1.28.1" | node.js |
Affected
| ||||||
Momentjs Search vendor "Momentjs" | Luxon Search vendor "Momentjs" for product "Luxon" | >= 2.0.0 < 2.5.2 Search vendor "Momentjs" for product "Luxon" and version " >= 2.0.0 < 2.5.2" | node.js |
Affected
| ||||||
Momentjs Search vendor "Momentjs" | Luxon Search vendor "Momentjs" for product "Luxon" | >= 3.0.0 < 3.2.1 Search vendor "Momentjs" for product "Luxon" and version " >= 3.0.0 < 3.2.1" | node.js |
Affected
|