CVE-2022-31129

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions moment versions prior to 2.29.4

Description The issue is related to an inefficient parsing algorithm used in the moment JavaScript date library, specifically in the string-to-date parsing and rfc2822 parsing. This results in quadratic complexity on specific inputs, causing a noticeable slowdown with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to (Re)DoS attacks.

Recommendations For moment versions prior to 2.29.4, upgrade to version 2.29.4 or later. As a temporary workaround, consider limiting the length of user input to something sane, like 200 characters or less, to minimize the risk of exploitation.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333CWE-400

Related Identifiers

BDU:2026-00717

CVE-2022-31129

DLA-3295-1

GHSA-3XQ5-WJFH-PPJC

GHSA-WC69-RHJR-HC9G

MGASA-2022-0323

MGASA-2024-0067

RHSA-2022:6272

RHSA-2022:6277

RHSA-2022:6392

RHSA-2022:6393

RHSA-2023:1043

RHSA-2023:1044

RHSA-2023:1045

RHSA-2023:1486

RHSA-2023:3623

SUSE-SU-2022:3313-1

SUSE-SU-2022:3314-1

SUSE-SU-2022:3761-1

SUSE-SU-2023:0592-1

USN-5559-1

USN-6550-1

Affected Products

Astra Linux

Bitbucket

Confluence

Linuxmint

Suse

Ubuntu

Moment

CVE-2022-31129

Weakness Enumeration

Related Identifiers

Affected Products

References · 210