You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 19, 2023. It is now read-only.
More information
There is an inefficient regular expression complexity in moment which can lead to regular expression denial of service (ReDoS) with the use of a specially crafted input. The problem is patched in 2.29.4
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.
The text was updated successfully, but these errors were encountered:
Very sorry for the delay. As you may have noticed, a number of issues have fallen through the cracks, and we are in the process of catching up and cleaning things up.
Thank you for your report. We are migrating to a new email-based reporting system in order to better mesh with our internal processes, which will allow us to be more reactive to our users. I have moved your request to the internal tracking system and the research team will look into the issue shortly.
If you notice further issues or would like to follow up on this one, please email ossindex@sonatype.org
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
advisoryAn advisory missing from the OSS Index database
Advisory details
More information
There is an inefficient regular expression complexity in moment which can lead to regular expression denial of service (ReDoS) with the use of a specially crafted input. The problem is patched in 2.29.4
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing.
moment("(".repeat(500000))
will take a few minutes to process, which is unacceptable.The text was updated successfully, but these errors were encountered: