Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability Report: Regular Expression Denial of Service (ReDoS) in moment.js #19985

Closed
1 task done
camgrimsec opened this issue Apr 3, 2024 · 1 comment
Closed
1 task done

Vulnerability Report: Regular Expression Denial of Service (ReDoS) in moment.js #19985

camgrimsec opened this issue Apr 3, 2024 · 1 comment

Comments

@camgrimsec
Copy link

Issue Summary

Affected Packages:

moment@2.24.0
moment-timezone@0.5.23 (and its dependencies)

Fixed Version: moment@2.29.4

Exploit Maturity: Proof of Concept

Steps to Reproduce

Detailed Paths:

Introduced through:
    ghost@5.81.0 → moment@2.24.0
    Fix: Upgrade to moment@2.29.4

Introduced through:
    ghost@5.81.0 → moment-timezone@0.5.23 → moment@2.24.0
    Fix: Update dependencies, particularly moment to a version above 2.29.4. Try relocking your lockfile or deleting node_modules. If the issue persists, one of your dependencies may be bundling outdated modules.

Introduced through:
    ghost@5.81.0 → knex-migrator@5.2.0 → moment@2.24.0
    Fix: Unfortunately, no remediation path is available.

Ghost Version

Latest

Node.js Version

Latest

How did you install Ghost?

Windows

Database type

MySQL 5.7

Browser & OS version

No response

Relevant log / error output

No response

Code of Conduct

  • I agree to be friendly and polite to people in this repository
@github-actions github-actions bot added the needs:triage [triage] this needs to be triaged by the Ghost team label Apr 3, 2024
@allouis
Copy link
Contributor

allouis commented Apr 4, 2024

Please report any security issues as laid out here https://ghost.org/docs/security/ and provide an example of the exploit

@allouis allouis closed this as completed Apr 4, 2024
@github-actions github-actions bot removed the needs:triage [triage] this needs to be triaged by the Ghost team label Apr 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@allouis @camgrimsec