CVE-2023-22467

Name of the Vulnerable Software and Affected Versions Luxon versions 1.x prior to 1.38.1 Luxon versions 2.x prior to 2.5.2 Luxon versions 3.x prior to 3.2.1 Moment versions prior to 2.29.4

Description The issue is related to quadratic (N^2) complexity in date and time parsing on specific inputs, causing a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to the affected methods are vulnerable to (Re)DoS attacks. The problem is rooted in the code that removes legacy comments from strings during rfc2822 parsing.

Recommendations For Luxon versions 1.x prior to 1.38.1, update to version 1.38.1 or later. For Luxon versions 2.x prior to 2.5.2, update to version 2.5.2 or later. For Luxon versions 3.x prior to 3.2.1, update to version 3.2.1 or later. For Moment versions prior to 2.29.4, update to version 2.29.4 or later. As a temporary workaround, consider limiting the length of the input to something sane, like 200 characters or less, to minimize the risk of exploitation.