EIQ-2019-0007#
ID |
EIQ-2019-0007 |
|---|---|
CVE |
|
Description |
Moment.js is vulnerable to regular expression denial of service |
Date |
11 Feb 2019 |
Severity |
2 - MEDIUM |
CVSSv3 score |
6.5 |
Status |
✅ All versions |
Assessment |
Moment.js Node.js module versions 2.19.3 and earlier are vulnerable to low-severity regular expression denial of service when parsing dates as strings. This can result in a denial of service (CPU consumption). Note This vulnerability is a false positive: EclecticIQ Platform uses Moment.js only to parse date and time values that signed-in platform users select through date and time picker elements in the web-based GUI. The dependency parses and processes only internal, validated code. Even in the case where a crafted regex were injected and sent to Moment.js for parsing, a DDoS would last only a few seconds; the web-based GUI would hang for a few seconds, before resuming normal functionality. |
Mitigation |
Update to Moment.js version 2.19.3 or later. |
Affected versions |
None |
Notes |
For more information, see: |