Regular Expression Denial of Service in moment (GHSA-87vv-r9j6-g5qv)
- Severity:
- Medium
Description
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
Recommendation
Update the moment package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.11.2
- Patched version(s): 2.11.2
References
- GHSA-87vv-r9j6-g5qv
- www.npmjs.com
- lists.apache.org
- www.tenable.com
- www.openwall.com
- www.oracle.com
- www.securityfocus.com
- CVE-2016-4055
- CWE-400
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Regular Expression Denial of Service in jadedown - CVE-2016-10520
- html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS) (GHSA-545q-3fg6-48m7) - CVE-2021-23346
- Regular expression denial of service in jquery-validation (GHSA-j9m2-h2pv-wvph) - CVE-2021-43306
- regular expression denial of service (ReDoS) (GHSA-r92x-f52r-x54g) - CVE-2020-26289
- Tags:
- npm
- moment
Anything's wrong? Let us know Last updated on February 03, 2023