Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks.
This PR contains the following updates:
3.0.1
->3.2.1
GitHub Vulnerability Alerts
CVE-2023-22467
Impact
Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks.
This is the same bug as Moment's https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
Workarounds
Limit the length of the input.
References
There is an excellent writeup of the same issue in Moment: https://github.com/moment/moment/pull/6015#issuecomment-1152961973
Details
DateTime.fromRFC2822("(".repeat(500000))
takes a couple minutes to complete.Release Notes
moment/luxon (luxon)
### [`v3.2.1`](https://togithub.com/moment/luxon/blob/HEAD/CHANGELOG.md#321-2023-01-04) [Compare Source](https://togithub.com/moment/luxon/compare/3.2.0...3.2.1) - Fix for RFC-2822 regex vulnerability - Better handling of BCP tags with -x- extensions ### [`v3.2.0`](https://togithub.com/moment/luxon/blob/HEAD/CHANGELOG.md#320-2022-12-29) [Compare Source](https://togithub.com/moment/luxon/compare/3.1.1...3.2.0) - Allow timeZone to be specified as an intl option - Fix for diff's handling of end-of-month when crossing leap years ([#1340](https://togithub.com/moment/luxon/issues/1340)) - Add Interval.toLocaleString() ([#1320](https://togithub.com/moment/luxon/issues/1320)) ### [`v3.1.1`](https://togithub.com/moment/luxon/blob/HEAD/CHANGELOG.md#311-2022-11-28) [Compare Source](https://togithub.com/moment/luxon/compare/3.1.0...3.1.1) - Add Settings.twoDigitCutoffYear ### [`v3.1.0`](https://togithub.com/moment/luxon/blob/HEAD/CHANGELOG.md#310-2022-10-31) [Compare Source](https://togithub.com/moment/luxon/compare/3.0.4...3.1.0) - Add Duration.rescale ### [`v3.0.4`](https://togithub.com/moment/luxon/blob/HEAD/CHANGELOG.md#304-2022-09-24) [Compare Source](https://togithub.com/moment/luxon/compare/3.0.3...3.0.4) - Fix quarters in diffs ([#1279](https://togithub.com/moment/luxon/issues/1279)) - Export package.json in package ([#1239](https://togithub.com/moment/luxon/issues/1239)) ### [`v3.0.3`](https://togithub.com/moment/luxon/compare/3.0.2...3.0.3) [Compare Source](https://togithub.com/moment/luxon/compare/3.0.2...3.0.3) ### [`v3.0.2`](https://togithub.com/moment/luxon/blob/HEAD/CHANGELOG.md#302-2022-08-28) [Compare Source](https://togithub.com/moment/luxon/compare/3.0.1...3.0.2) - Lots of doc changes - Added DateTime.expandFormat - Added support for custom conversion matrices in DurationsConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.