Missing CWE-185 for Moment.js

[ashwinmayils]

Advisory details

  URL: https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
  format: npm, nuget
  namespace: moment, moment.js
  name: moment
  versions: >= 2.18.0, < 2.29.4

More information
There is an inefficient regular expression complexity in moment which can lead to regular expression denial of service (ReDoS) with the use of a specially crafted input. The problem is patched in 2.29.4

The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.

[ken-duck]

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

[ken-duck]

Very sorry for the delay. As you may have noticed, a number of issues have fallen through the cracks, and we are in the process of catching up and cleaning things up.

Thank you for your report. We are migrating to a new email-based reporting system in order to better mesh with our internal processes, which will allow us to be more reactive to our users. I have moved your request to the internal tracking system and the research team will look into the issue shortly.

If you notice further issues or would like to follow up on this one, please email ossindex@sonatype.org