Miggo Logo

CVE-2016-4055: Regular Expression Denial of Service in moment

6.5

CVSS Score
3.0

Basic Information

EPSS Score
0.87086%
Published
10/24/2017
Updated
2/3/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
momentnpm< 2.11.22.11.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The CVE explicitly states the vulnerability is triggered through moment.duration() with crafted input. The proof of concept demonstrates ReDoS by passing a long string of digits, indicating the duration parsing regex is the attack vector. While exact pre-patch code isn't available, historical context shows duration parsing regex improvements were made in the patched version (2.11.2). The function's role in input parsing and the CVE's specificity give high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `mom*nt` prior to *.**.* *r* *****t** *y * r**ul*r *xpr*ssion **ni*l o* s*rvi** vuln*r**ility. T** vuln*r**ility is tri***r** w**n *r*itr*ry us*r input is p*ss** into `mom*nt.*ur*tion()`. ## Proo* o* *on**pt ``` v*r mom*nt = r*quir*('mo

Reasoning

T** *V* *xpli*itly st*t*s t** vuln*r**ility is tri***r** t*rou** `mom*nt.*ur*tion()` wit* *r**t** input. T** proo* o* *on**pt **monstr*t*s R**oS *y p*ssin* * lon* strin* o* *i*its, in*i**tin* t** *ur*tion p*rsin* r***x is t** *tt**k v**tor. W*il* *x*