{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-22467","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2022-12-29T03:00:40.880Z","datePublished":"2023-01-04T21:52:14.329Z","dateUpdated":"2025-02-13T16:43:52.699Z"},"containers":{"cna":{"title":"luxon.js inefficient regular expression complexity vulnerability","problemTypes":[{"descriptions":[{"cweId":"CWE-1333","lang":"en","description":"CWE-1333: Inefficient Regular Expression Complexity","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/moment/luxon/security/advisories/GHSA-3xq5-wjfh-ppjc","tags":["x_refsource_CONFIRM"],"url":"https://github.com/moment/luxon/security/advisories/GHSA-3xq5-wjfh-ppjc"},{"name":"https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g","tags":["x_refsource_MISC"],"url":"https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"},{"name":"https://github.com/moment/moment/pull/6015#issuecomment-1152961973","tags":["x_refsource_MISC"],"url":"https://github.com/moment/moment/pull/6015#issuecomment-1152961973"},{"name":"https://github.com/moment/luxon/commit/5ab3bf64a10da929a437629cdb2f059bb83212bf","tags":["x_refsource_MISC"],"url":"https://github.com/moment/luxon/commit/5ab3bf64a10da929a437629cdb2f059bb83212bf"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LIVOASKBQH7FEUI5RWM3SOHR6VK7ZZR/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44I3WAJKYXDLOVYRGMHAUXMIV4SPFXDZ/"}],"affected":[{"vendor":"moment","product":"luxon","versions":[{"version":">= 1.0.0, < 1.38.1","status":"affected"},{"version":">= 2.0.0, < 2.5.2","status":"affected"},{"version":">= 3.0.0, < 3.2.1","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2024-02-12T03:06:26.593Z"},"descriptions":[{"lang":"en","value":"Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input."}],"source":{"advisory":"GHSA-3xq5-wjfh-ppjc","discovery":"UNKNOWN"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T10:13:48.311Z"},"title":"CVE Program Container","references":[{"name":"https://github.com/moment/luxon/security/advisories/GHSA-3xq5-wjfh-ppjc","tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/moment/luxon/security/advisories/GHSA-3xq5-wjfh-ppjc"},{"name":"https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"},{"name":"https://github.com/moment/moment/pull/6015#issuecomment-1152961973","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/moment/moment/pull/6015#issuecomment-1152961973"},{"name":"https://github.com/moment/luxon/commit/5ab3bf64a10da929a437629cdb2f059bb83212bf","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/moment/luxon/commit/5ab3bf64a10da929a437629cdb2f059bb83212bf"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LIVOASKBQH7FEUI5RWM3SOHR6VK7ZZR/","tags":["x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44I3WAJKYXDLOVYRGMHAUXMIV4SPFXDZ/","tags":["x_transferred"]}]}]}}