Miggo Logo

CVE-2017-18214: Regular Expression Denial of Service in moment

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.54695%
Published
3/5/2018
Updated
4/14/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
momentnpm< 2.19.32.19.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2017-18214 explicitly references a ReDoS issue in the 'moment' library's date parsing logic. The GitHub commit diff shows critical modifications to the 'matchWord' regex in three files, including src/lib/parse/regex.js. The original regex used unbounded quantifiers (e.g., [0-9]* and +), which are classic indicators of ReDoS vulnerabilities. The patch introduced quantifier limits (e.g., {0,256} and {1,256}) to restrict input size. Since 'matchWord' is directly used in parsing date strings, its pre-patch form was the root cause of the vulnerability. No other functions are explicitly mentioned in the provided context, but the regex itself is the clearly identified vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `mom*nt` *r* vuln*r**l* to * low s*v*rity r**ul*r *xpr*ssion **ni*l o* s*rvi** w**n p*rsin* **t*s *s strin*s. ## R**omm*n**tion Up**t* to v*rsion *.**.* or l*t*r.

Reasoning

T** vuln*r**ility *V*-****-***** *xpli*itly r***r*n**s * R**oS issu* in t** 'mom*nt' li*r*ry's **t* p*rsin* lo*i*. T** *it*u* *ommit *i** s*ows *riti**l mo*i*i**tions to t** 'm*t**Wor*' r***x in t*r** *il*s, in*lu*in* `sr*/li*/p*rs*/r***x.js`. T** or