Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Moment.js 2.29.4 CVE-2022-31129 #8968

Closed
melloware opened this issue Jul 7, 2022 · 3 comments · Fixed by #8969
Closed

Moment.js 2.29.4 CVE-2022-31129 #8968

melloware opened this issue Jul 7, 2022 · 3 comments · Fixed by #8969
Assignees
@melloware
Labels
11.0.8 🔒 security Security related issue or enhancement
Milestone
12.0.0

Comments

@melloware
Copy link
Member

Impact
using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs
noticeable slowdown is observed with inputs above 10k characters
users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks
Patches
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.

Workarounds
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.

References
There is an excellent writeup of the issue here: moment/moment#6015 (comment)

Details
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.
@melloware melloware added the 🔒 security Security related issue or enhancement label Jul 7, 2022
@melloware melloware added this to the 12.0.0 milestone Jul 7, 2022
@melloware melloware self-assigned this Jul 7, 2022
@melloware melloware linked a pull request Jul 7, 2022 that will close this issue
Fix #8968: Moment.js 2.29.4 #8969
Merged
melloware added a commit to melloware/primefaces that referenced this issue Jul 7, 2022
@melloware
Fix primefaces#8968: Moment.js 2.29.4
c1d2aec
melloware added a commit that referenced this issue Jul 7, 2022
@melloware
Fix #8968: Moment.js 2.29.4 (#8969)
2438d28
@thucke
Copy link

thucke commented Aug 29, 2022

Hi @melloware,
wouldn't this PR be also good to merge on 11.x?
When would version 12.0.0 be avaiable that this CVE is removed in Primefaces?

@melloware
Copy link
Member Author

12.0.0-RC3 is available in Maven Central right now.

@melloware melloware added the elite This issue is related to an Elite release label Sep 5, 2022
@melloware melloware mentioned this issue Sep 5, 2022
Closed
@mertsincan mertsincan added 11.0.8 and removed elite This issue is related to an Elite release labels Sep 21, 2022
@chovyy
Copy link

chovyy commented Oct 23, 2023

Will you also update the 10.0.x branch one day?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@melloware melloware

Labels
11.0.8 🔒 security Security related issue or enhancement
Projects
None yet
Milestone
12.0.0
Development

Successfully merging a pull request may close this issue.

Fix #8968: Moment.js 2.29.4 melloware/primefaces
4 participants
@melloware @mertsincan @thucke @chovyy