#VU72033 Incorrect Regular Expression in Luxon - CVE-2023-22467


Vulnerability identifier: #VU72033

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-22467

CWE-ID: CWE-185

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Luxon
Web applications / JS libraries

Vendor: Moment.js

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an incorrect regular expression when parsing untrusted input within the Luxon's DateTime.fromRFC2822() function. A remote attacker can causes a noticeable slowdown for inputs with lengths above 10k characters.

Note, this is the same vulnerability as #VU65835 (CVE-2022-31129) reported earlier for moment.js.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Luxon: 1.0.0 - 1.28.0, 2.0.0 - 2.5.1, 3.0.0 - 3.2.0

External links
https://github.com/moment/luxon/commit/5ab3bf64a10da929a437629cdb2f059bb83212bf
https://github.com/moment/luxon/security/advisories/GHSA-3xq5-wjfh-ppjc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cognos Analytics Mobile (iOS)
Multiple vulnerabilities in IBM Cognos Analytics Mobile (Android)
Multiple vulnerabilities in IBM Maximo Asset Management
Multiple vulnerabilities in Dell Secure Connect Gateway Policy Manager
Fedora 38 update for python-nikola
Fedora 39 update for python-nikola
Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps
Incorrect regular expression in IBM Robotic Process Automation
Incorrect regular expression in IBM Cloud Pak for Integration
Incorrect regular expression in IBM App Connect Enterprise Certified Container