Headline
GHSA-3xq5-wjfh-ppjc: Luxon Inefficient Regular Expression Complexity vulnerability
Impact
Luxon’s `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks.
This is the same bug as Moment’s https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
Workarounds
Limit the length of the input.
References
There is an excellent writeup of the same issue in Moment: https://github.com/moment/moment/pull/6015#issuecomment-1152961973
Details
DateTime.fromRFC2822("(".repeat(500000)) takes a couple minutes to complete.
Luxon Inefficient Regular Expression Complexity vulnerability
High severity GitHub Reviewed Published Jan 9, 2023 in moment/luxon • Updated Jan 9, 2023
Package
npm luxon (npm)
Affected versions
>= 1.0.0, < 1.38.1
>= 2.0.0, < 2.5.2
>= 3.0.0, < 3.2.1
Patched versions
1.38.1
2.5.2
3.2.1
Description
Impact
Luxon’s `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks.
This is the same bug as Moment’s GHSA-wc69-rhjr-hc9g
Workarounds
Limit the length of the input.
References
There is an excellent writeup of the same issue in Moment: moment/moment#6015 (comment)
Details
DateTime.fromRFC2822("(".repeat(500000)) takes a couple minutes to complete.
References
- GHSA-3xq5-wjfh-ppjc
- GHSA-wc69-rhjr-hc9g
- https://nvd.nist.gov/vuln/detail/CVE-2023-22467
- moment/moment#6015 (comment)
- moment/luxon@5ab3bf6
icambron published the maintainer security advisory
Jan 4, 2023
Severity
High
7.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses
CWE-1333
CVE ID
CVE-2023-22467
GHSA ID
GHSA-3xq5-wjfh-ppjc
Source code
moment/luxon
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
Red Hat Advanced Cluster Management for Kubernetes 2.7.0 General Availability release images, which provide security updates and fix bugs. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service. * CVE-2022-30629: A flaw was found in the crypto/tls golang pa...
Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.