Regular Expression Denial of Service
- Vulnerable module: moment
- Introduced through: firstname.lastname@example.org, email@example.com and others
- Introduced through: firstname.lastname@example.org › email@example.com › firstname.lastname@example.org
- Introduced through: email@example.com › firstname.lastname@example.org › email@example.com
- Introduced through: firstname.lastname@example.org › email@example.com › firstname.lastname@example.org
Affected versions of the package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks for any locale that has separate format and standalone options and
format input can be controlled by the user.
An attacker can provide a specially crafted input to the
format function, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack).
- October 19th, 2016 - Reported the issue to package owner.
- October 19th, 2016 - Issue acknowledged by package owner.
- October 24th, 2016 - Issue fixed and version