CVE-2023-22467 Overview
CVE-2023-22467 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting Luxon, a popular JavaScript library for working with dates and times. The vulnerability exists in the DateTime.fromRFC2822() function, which exhibits quadratic (N²) complexity when processing certain malicious inputs. This algorithmic complexity attack causes significant performance degradation when parsing input strings exceeding 10,000 characters, making applications vulnerable to denial of service attacks when processing untrusted user data.
Critical Impact
Applications accepting untrusted date strings via DateTime.fromRFC2822() are vulnerable to ReDoS attacks that can cause service unavailability through CPU exhaustion.
Affected Products
- Luxon versions prior to 1.38.1 on the 1.x branch
- Luxon versions prior to 2.5.2 on the 2.x branch
- Luxon version 3.2.1 on the 3.x branch
Discovery Timeline
- 2023-01-04 - CVE CVE-2023-22467 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-22467
Vulnerability Analysis
The vulnerability resides in the preprocessRFC2822() function within Luxon's regex parser module (src/impl/regexParser.js). The function is responsible for sanitizing RFC 2822 formatted date strings by removing comments and normalizing whitespace before parsing. The problematic regular expression used for comment removal exhibits catastrophic backtracking behavior when processing specially crafted inputs.
This vulnerability is related to CVE-2022-31129, which affects the Moment.js library with a similar ReDoS issue. The root cause involves inefficient regex patterns that allow attackers to exploit the non-deterministic nature of regex matching engines in JavaScript.
Root Cause
The vulnerable code uses a regex pattern /\([^)]*\)|[\n\t]/g to remove parenthetical comments from RFC 2822 date strings. This pattern fails to properly handle nested or malformed parentheses, leading to exponential backtracking behavior. When processing adversarial input containing carefully constructed sequences of parentheses and other characters, the regex engine enters a state where it must explore an exponentially growing number of possible matches, resulting in quadratic time complexity.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by submitting maliciously crafted date strings to any application endpoint that processes user-supplied data through DateTime.fromRFC2822(). The attack payload consists of a specially formatted string exceeding 10,000 characters designed to trigger worst-case regex matching behavior, causing the application to hang or become unresponsive while processing the input.
function preprocessRFC2822(s) {
// Remove comments and folding whitespace and replace multiple-spaces with a single space
return s
- .replace(/\([^)]*\)|[\n\t]/g, " ")
+ .replace(/\([^()]*\)|[\n\t]/g, " ")
.replace(/(\s\s+)/g, " ")
.trim();
}
Source: GitHub Commit
The fix modifies the regex pattern from [^)]* to [^()]*, explicitly excluding both opening and closing parentheses from the character class. This prevents the regex engine from backtracking through nested parentheses structures.
Detection Methods for CVE-2023-22467
Indicators of Compromise
- Abnormally high CPU utilization on application servers processing date/time data
- Increased response latency or timeouts on endpoints accepting date string inputs
- Application logs showing unusually long processing times for RFC 2822 date parsing operations
- Memory consumption spikes correlated with date parsing requests
Detection Strategies
- Monitor application performance metrics for anomalous CPU spikes during date parsing operations
- Implement request logging that captures input string lengths to identify suspiciously large payloads
- Use application performance monitoring (APM) tools to trace slow transactions to DateTime.fromRFC2822() calls
- Deploy web application firewall (WAF) rules to flag or block requests with excessively long date-like strings
Monitoring Recommendations
- Set up alerting thresholds for endpoint response times that process user-supplied date strings
- Implement input length monitoring at API gateways to detect oversized payloads
- Configure server-side timeout mechanisms to terminate long-running regex operations
- Review dependency audit reports regularly using npm audit or similar tools
How to Mitigate CVE-2023-22467
Immediate Actions Required
- Upgrade Luxon to version 1.38.1 or later (for 1.x branch users)
- Upgrade Luxon to version 2.5.2 or later (for 2.x branch users)
- Upgrade Luxon to version 3.2.1 or later (for 3.x branch users)
- Audit application code to identify all usages of DateTime.fromRFC2822() with untrusted input
Patch Information
Security patches are available in Luxon versions 1.38.1, 2.5.2, and 3.2.1. The fix modifies the regex pattern in the preprocessRFC2822() function to prevent catastrophic backtracking. The patch is available in the GitHub Commit. Additional context on the similar Moment.js vulnerability can be found in the related GitHub Pull Request discussion.
Workarounds
- Implement input length validation to reject date strings exceeding a reasonable threshold (e.g., 200 characters)
- Add server-side timeout wrappers around DateTime.fromRFC2822() calls to prevent indefinite blocking
- Use alternative date parsing methods when processing untrusted input until patches can be applied
- Consider implementing rate limiting on endpoints that accept date string inputs
# Update Luxon to patched version
npm update luxon
# Or install specific patched version
npm install luxon@2.5.2
# Audit dependencies for vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
