Vulnerable Library - moment-2.0.0.tgz

Parse, manipulate, and display dates.

path: /tmp/git/FinancialManager/web/assets/vendors/jqvmap/node_modules/moment/package.json

Library home page: http://registry.npmjs.org/moment/-/moment-2.0.0.tgz

Dependency Hierarchy:

• grunt-changelog-0.2.2.tgz (Root Library)
  • ❌ moment-2.0.0.tgz (Vulnerable Library)

Vulnerability Details

Moment is vulnerable to regular expression denial of service when user input is passed unchecked into moment.duration() blocking the event loop for a period of time.

Publish Date: 2016-01-26

URL: WS-2016-0006

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/55

Release Date: 2016-01-26

Fix Resolution: Please update to version 2.11.2 or greater. If you are unable to update more information is available below.

A fix has been made available in a pull request. Do not allow untrusted user input into moment.duration() or truncate the length of the allowed input to reduce blocking potential.

in moment.js change line 1819 from

var aspNetRegex = /(\-)?(?:(\d*)[. ])?(\d+)\:(\d+)(?:\:(\d+)\.?(\d{3})?)?/;

to

var aspNetRegex = /^(\-)?(?:(\d*)[. ])?(\d+)\:(\d+)(?:\:(\d+)\.?(\d{3})?(?:\d*)?)?$/;