Hide Forgot
moment is a lightweight JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of the package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks for any locale that has separate format and standalone options and format input can be controlled by the user. An attacker can provide a specially crafted input to the format function, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack). External References: https://snyk.io/vuln/npm:moment:20161019 Upstream patch: https://github.com/moment/moment/commit/663f33e333212b3800b63592cd8e237ac8fabdb9
Created nodejs-moment tracking bugs for this issue: Affects: fedora-all [bug 1388495]
Statement: This issue affects the versions of nodejs-moment as shipped with Red Hat Satellite version 5. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.