PT-2017-8452 · Moment.Js+2 · Moment+2

Published

2017-01-23

Updated

2026-06-04

CVE-2016-4055

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions moment versions prior to 2.11.2

Description The duration function in the moment package allows remote attackers to cause a denial of service (CPU consumption) via a long string, also known as a "regular expression Denial of Service (ReDoS)". This issue is triggered when arbitrary user input is passed into moment.duration().

Recommendations For moment versions prior to 2.11.2, please update to version 2.11.2 or later.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

CVE-2016-4055

GHSA-87VV-R9J6-G5QV

GHSA-HXF5-MG84-PJ4M

USN-4786-1

Affected Products

Jira

Ubuntu

Moment

PT-2017-8452 · Moment.Js+2 · Moment+2

CVE-2016-4055

Weakness Enumeration

Related Identifiers

Affected Products

References · 31