CVE-2022-31129 Overview
CVE-2022-31129 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting Moment.js, a widely-used JavaScript date library for parsing, validating, manipulating, and formatting dates. The vulnerability exists in the RFC2822 date parsing functionality, which is attempted by default when parsing date strings. The inefficient parsing algorithm exhibits quadratic (N^2) complexity on specific inputs, allowing attackers to cause significant application slowdowns or complete denial of service.
Critical Impact
Applications accepting user-provided date strings without length validation are vulnerable to denial of service attacks, potentially causing service unavailability for all users.
Affected Products
- Momentjs Moment (versions prior to 2.29.4 for Node.js)
- Momentjs Moment (versions prior to 2.29.4 for NuGet)
- Fedoraproject Fedora (versions 35, 36, 37)
- Debian Debian Linux (version 10.0)
Discovery Timeline
- 2022-07-06 - CVE-2022-31129 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2022-31129
Vulnerability Analysis
The vulnerability resides in the preprocessRFC2822 function within Moment.js's date string parsing module. This function processes RFC2822 formatted date strings by removing comments, folding whitespace, and normalizing spaces. The core issue stems from an inefficient regular expression pattern that exhibits catastrophic backtracking behavior when processing maliciously crafted input strings.
When Moment.js attempts to parse a date string, it tries multiple parsing strategies including RFC2822 format by default. The vulnerable regex pattern /\([^)]*\)/g was designed to strip parenthesized comments from RFC2822 date strings. However, this pattern becomes problematic when encountering nested or unmatched parentheses, causing the regex engine to explore an exponentially growing number of potential matches.
Users passing strings exceeding 10,000 characters to the Moment.js constructor may observe noticeable slowdowns. Larger inputs can completely freeze the JavaScript event loop, effectively denying service to all application users.
Root Cause
The root cause is an inefficient regular expression in the preprocessRFC2822 function that exhibits quadratic time complexity (O(n²)) due to catastrophic backtracking. The original regex pattern /\([^)]*\)/g was designed to match and remove parenthetical comments but failed to account for nested parentheses or malformed input, causing the regex engine to perform excessive backtracking operations on crafted inputs.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by sending HTTP requests containing specially crafted date strings to any endpoint that processes user input through Moment.js. The attack requires:
- Identification of an application endpoint accepting date strings
- Crafting a malicious string with patterns that trigger catastrophic backtracking
- Sending the payload to exhaust server CPU resources
Applications that accept user-provided strings and pass them directly to the moment() constructor without input length validation are particularly vulnerable. This is common in web applications processing form data, API requests, or importing data from external sources.
// Security patch for preprocessRFC2822 function
// Source: https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3
function preprocessRFC2822(s) {
// Remove comments and folding whitespace and replace multiple-spaces with a single space
return s
- .replace(/\([^)]*\)|[\n\t]/g, ' ')
+ .replace(/\([^()]*\)|[\n\t]/g, ' ')
.replace(/(\s\s+)/g, ' ')
.replace(/^\s\s*/, '')
.replace(/\s\s*$/g, '');
The fix changes the regex pattern from \([^)]*\) to \([^()]*\), preventing the engine from matching nested parentheses and eliminating the catastrophic backtracking behavior.
Detection Methods for CVE-2022-31129
Indicators of Compromise
- Unusual CPU utilization spikes on web application servers during date parsing operations
- Significant increase in response times for API endpoints accepting date parameters
- Application timeouts or unresponsive behavior when processing date strings
- Error logs showing JavaScript execution timeouts or event loop blocking
Detection Strategies
- Monitor application performance metrics for sudden CPU spikes correlated with date parsing requests
- Implement request logging to identify unusually large payloads in date-related fields
- Use software composition analysis (SCA) tools to identify vulnerable Moment.js versions in dependencies
- Review application code for direct usage of moment() constructor with user-provided input
Monitoring Recommendations
- Configure application performance monitoring (APM) to alert on elevated response times for date-processing endpoints
- Set up resource utilization alerts for CPU thresholds that may indicate ReDoS exploitation
- Implement request size monitoring to detect anomalously large input payloads
- Enable verbose logging for date parsing operations in staging environments to identify potential attack patterns
How to Mitigate CVE-2022-31129
Immediate Actions Required
- Upgrade Moment.js to version 2.29.4 or later immediately
- Implement input length validation for all date strings before passing to Moment.js
- Audit application code for direct usage of moment() constructor with user-controlled input
- Consider migrating to actively maintained alternatives such as date-fns or Luxon
Patch Information
The vulnerability is patched in Moment.js version 2.29.4. The patch modifies the regular expression in the preprocessRFC2822 function to prevent catastrophic backtracking. Organizations should update via their package manager:
For npm: npm update moment or npm install moment@2.29.4
For yarn: yarn upgrade moment@2.29.4
The GitHub commit contains the minimal change required, which can be backported to older versions if upgrading is not immediately feasible. Additional details are available in the GitHub Security Advisory.
Workarounds
- Implement strict input length limits (e.g., 200 characters) for date strings before parsing
- Use explicit date format strings instead of relying on automatic format detection
- Wrap Moment.js parsing in try-catch with timeout mechanisms
- Consider using moment.utc() or moment.parseZone() with explicit formats to bypass RFC2822 parsing
# Configuration example - Input validation before Moment.js parsing
# Implement in your application's input validation layer
# Example npm command to check for vulnerable versions
npm list moment
# Example to update to patched version
npm install moment@2.29.4 --save
# Verify installed version
npm list moment | grep moment
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
