Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2016-4055 |
CWE-ID | CWE-399 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
Moment Web applications / JS libraries |
Vendor | Moment.js |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU21762
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-4055
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a regular expression denial of service (ReDoS) attack.
The vulnerability exists due to an error in the "moment.duration()" function. A remote attacker can send a specially crafted input and cause regular expression denial of service via a long string.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoment: 0.3.0 - 2.11.2
External linkshttp://nodesecurity.io/advisories/55
http://www.npmjs.com/advisories/55
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.