Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - serverless-offline-11.2.1.tgz
Found in HEAD commit: d6f11282ee9f4af0baad5df06570b6a9700994af
Vulnerabilities
Details
CVE-2023-22467
### Vulnerable Libraries - luxon-1.28.0.tgz, luxon-3.0.4.tgz### luxon-1.28.0.tgz
Immutable date wrapper
Library home page: https://registry.npmjs.org/luxon/-/luxon-1.28.0.tgz
Dependency Hierarchy: - serverless-offline-11.2.1.tgz (Root Library) - node-schedule-2.1.0.tgz - cron-parser-3.5.0.tgz - :x: **luxon-1.28.0.tgz** (Vulnerable Library) ### luxon-3.0.4.tgz
Immutable date wrapper
Library home page: https://registry.npmjs.org/luxon/-/luxon-3.0.4.tgz
Dependency Hierarchy: - serverless-offline-11.2.1.tgz (Root Library) - :x: **luxon-3.0.4.tgz** (Vulnerable Library)
Found in HEAD commit: d6f11282ee9f4af0baad5df06570b6a9700994af
Found in base branch: master
### Vulnerability DetailsLuxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.
Publish Date: 2023-01-04
URL: CVE-2023-22467
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/moment/luxon/security/advisories/GHSA-3xq5-wjfh-ppjc
Release Date: 2023-01-04
Fix Resolution (luxon): 1.28.1
Direct dependency fix Resolution (serverless-offline): 11.2.2
Fix Resolution (luxon): 3.2.1
Direct dependency fix Resolution (serverless-offline): 11.2.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)