moment is vulnerable to regular expression denial of service when user input is passed unchecked into moment.duration() blocking the event loop for a period of time. Upstream patch: https://github.com/moment/moment/pull/2939 External References: https://nodesecurity.io/advisories/55
Created nodejs-moment tracking bugs for this issue: Affects: fedora-all [bug 1304649]
CVE assignment: http://seclists.org/oss-sec/2016/q2/122