GHSA-wc69-rhjr-hc9g · Severity: high · Ecosystem: npm — Moment.js vulnerable to Inefficient Regular Expression Complexity
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Conclusion & alert: CVE-2022-31129 is rated High Exploit Risk (75.8/100): CVSS High severity, with medium exploitation likelihood (EPSS 3.17%). Core evidence: 2 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-08 | 2.87% | 3.17% | +0.30% |
| 2 | 2026-06-05 | 3.11% | 2.87% | -0.24% |
| 3 | 2026-05-26 | — | 3.11% | — |
Full EPSS history (50 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
GHSA-wc69-rhjr-hc9g · Severity: high · Ecosystem: npm — Moment.js vulnerable to Inefficient Regular Expression Complexity
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2022-31129 not yet assigned priority: Debian including 1 source packages (node-moment), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2022-31129 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2022-31129 |
suse
|
high | — | https://www.suse.com/security/cve/CVE-2022-31129/ |
ubuntu
|
medium | CVE-2022-31129 medium priority: Ubuntu including 11 source packages (gnucash, mediawiki, …), 154 status rows across 14 suites (bionic, focal, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): ignored 84, needs-triage 35, DNE 17, not-affected 10, released 5, needed 3. | https://ubuntu.com/security/CVE-2022-31129 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| momentjs | moment | >= 2.18.0, < 2.29.4 | cpe:2.3:a:momentjs:moment:*:*:*:*:*:node.js:*:* |
| momentjs | moment | >= 2.18.0, < 2.29.4 | cpe:2.3:a:momentjs:moment:*:*:*:*:*:nuget:*:* |
| fedoraproject | fedora | 35 | cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
| fedoraproject | fedora | 36 | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* |
| fedoraproject | fedora | 37 | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* |
| debian | debian_linux | 10.0 | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |