CVE-2022-31129: Inefficient Regular Expression Complexity in moment

Published Jul 6, 2022
·
Updated

### Impact * using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs * noticeable slowdown is observed with inputs above 10k characters * users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks ### Patches The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. ### Workarounds In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities. ### References There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973= ### Details The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment("(".repeat(500000))` will take a few minutes to process, which is unacceptable.

Affected Software

21 affected componentsFixes available
redhat/servicemesh-prometheus<0:2.14.0-18.el8.1
0:2.14.0-18.el8.1
redhat/servicemesh-prometheus<0:2.23.0-9.el8
0:2.23.0-9.el8
redhat/ceph<2:17.2.6-70.el9c
2:17.2.6-70.el9c
redhat/grafana<0:5.2.4-6.el7
0:5.2.4-6.el7
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el7
0:18.0.6-1.redhat_00001.1.el7
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el8
0:18.0.6-1.redhat_00001.1.el8
redhat/rh-sso7-keycloak<0:18.0.6-1.redhat_00001.1.el9
0:18.0.6-1.redhat_00001.1.el9
redhat/cockpit-ovirt<0:0.16.2-1.el8e
0:0.16.2-1.el8e
redhat/ovirt-engine-ui-extensions<0:1.3.5-1.el8e
0:1.3.5-1.el8e
nuget/Moment.js>=2.18.0<2.29.4
2.29.4
npm/moment>=2.18.0<2.29.4
2.29.4
debian/node-moment
2.29.1+ds-2+deb11u22.29.4+ds-1
Momentjs Moment Node.js>=2.18.0<2.29.4
Momentjs Moment Nuget>=2.18.0<2.29.4
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Fedoraproject Fedora=37
Debian Debian Linux=10.0
redhat/moment<2.29.4
2.29.4
IBM Watson Studio on Cloud Pak for Data<=4.0
IBM Watson Studio on Cloud Pak for Data<=5.0

Remediation

Patch Available

https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3

Patch Available

https://github.com/moment/moment/pull/6015#issuecomment-1152961973

Patch Available

https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/

Event History

Jul 6, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Advisory Published
06:38 PM
Jul 7, 2022
Data Sourced
via Red Hat·08:26 PM
DescriptionSeverityAffected Software
Jan 12, 2024
Data Sourced
via Launchpad·12:08 AM
Description
Sep 16, 2024
Data Sourced
via Ubuntu·02:40 AM
RemedyDescriptionSeverityAffected Software
Aug 28, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2022-31129?

CVE-2022-31129 is a vulnerability in the Moment.js package that allows an attacker to craft a user-provided string that can cause the parsing algorithm to become inefficient, potentially leading to denial of service.

2

How does CVE-2022-31129 affect moment.js?

CVE-2022-31129 affects affected versions of moment.js, specifically those that use an inefficient parsing algorithm when handling user-provided strings.

3

What is the severity of CVE-2022-31129?

CVE-2022-31129 has a severity rating of high, with a CVSS score of 7.5.

4

How do I fix CVE-2022-31129?

To fix CVE-2022-31129, upgrade to version 2.29.4 of the moment.js package.

5

Where can I find more information about CVE-2022-31129?

More information about CVE-2022-31129 can be found in the following references: [GitHub Commit](https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3), [GitHub Pull Request](https://github.com/moment/moment/pull/6015#issuecomment-1152961973), [GitHub Security Advisory](https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203