Regular Expression Denial of Service in moment

Description

Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.

Recommendation

Update the moment package to the latest compatible version. Followings are version details:

• Affected version(s): < 2.19.3
• Patched version(s): 2.19.3

References

• GHSA-446m-mv8f-q348
• www.npmjs.com
• www.tenable.com
• CVE-2017-18214
• CWE-400
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Regular Expression Denial Of Service in uri-js - CVE-2017-16021
• Regular Expression Denial of Service in moment - moment - CVE-2016-4055
• Regular Expression Denial of Service in marked - marked - CVE-2017-16114
• Regular Expression Denial of Service in string package - CVE-2017-16116

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

moment