search

OSSIndex / vulns

Report missing advisories and corrections on OSS Index
17 stars 12 forks source link

Missing CWE-185 for Moment.js #310

Open ashwinmayils opened 2 years ago

ashwinmayils commented 2 years ago

Advisory details

  URL: https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
  format: npm, nuget
  namespace: moment, moment.js
  name: moment
  versions: >= 2.18.0, < 2.29.4

More information There is an inefficient regular expression complexity in moment which can lead to regular expression denial of service (ReDoS) with the use of a specially crafted input. The problem is patched in 2.29.4

The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.

ken-duck commented 2 years ago

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

ken-duck commented 1 year ago

Very sorry for the delay. As you may have noticed, a number of issues have fallen through the cracks, and we are in the process of catching up and cleaning things up.

Thank you for your report. We are migrating to a new email-based reporting system in order to better mesh with our internal processes, which will allow us to be more reactive to our users. I have moved your request to the internal tracking system and the research team will look into the issue shortly.

If you notice further issues or would like to follow up on this one, please email ossindex@sonatype.org