CVE-2017-18214: Regular Expression Denial of Service in moment
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.54695%
CWE
Published
3/5/2018
Updated
4/14/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
moment | npm | < 2.19.3 | 2.19.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability CVE-2017-18214 explicitly references a ReDoS issue in the 'moment' library's date parsing logic. The GitHub commit diff shows critical modifications to the 'matchWord' regex in three files, including src/lib/parse/regex.js
. The original regex used unbounded quantifiers (e.g., [0-9]* and +), which are classic indicators of ReDoS vulnerabilities. The patch introduced quantifier limits (e.g., {0,256} and {1,256}) to restrict input size. Since 'matchWord' is directly used in parsing date strings, its pre-patch form was the root cause of the vulnerability. No other functions are explicitly mentioned in the provided context, but the regex itself is the clearly identified vulnerable component.