VYPR
← All advisories
High severityNVD Advisory· Published Mar 4, 2018· Updated Aug 5, 2024

CVE-2017-18214

CVE-2017-18214

Description

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Moment.js before 2.19.3 has a ReDoS vulnerability via a crafted date string, leading to denial of service.

Vulnerability

The moment module before version 2.19.3 for Node.js is vulnerable to regular expression denial of service (ReDoS) via a crafted date string. The vulnerability lies in the matchWord regex pattern used for parsing date strings, which can cause catastrophic backtracking on malicious input. [1] [2] [4]

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted date string to an application that uses the moment library to parse user-supplied dates. No authentication or special privileges are required, as the vulnerable regex is executed on input parsing. The crafted string triggers exponential backtracking, consuming CPU resources. [2] [4]

Impact

Successful exploitation results in a denial of service (DoS) condition, making the Node.js process unresponsive and potentially affecting the availability of the entire application. [1] [4]

Mitigation

The vulnerability is fixed in moment version 2.19.3, released in 2018. The commit [2] limits regex quantifiers to prevent excessive backtracking. Tenable addressed this by upgrading to moment 2.19.3 in Nessus 8.3.0. [3] Users should upgrade to the patched version immediately; no known workarounds exist. [4]

References
  1. NVD - CVE-2017-18214
  2. [bugfix] Fix for ReDOS vulnerability (see #4163) (#4326) · moment/moment@69ed9d4
  3. [R1] Nessus 8.3.0 Fixes Multiple Third-party Vulnerabilities
  4. CVE-2017-18214 - GitHub Advisory Database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
momentnpm
< 2.19.32.19.3

Affected products

2

Patches

1
69ed9d44957f

[bugfix] Fix for ReDOS vulnerability (see #4163) (#4326)

https://github.com/moment/momentcrackmiggNov 29, 2017via ghsa
commit
3 files changed · +3 3
  • min/moment-with-locales.js+1 1 modified
    @@ -653,7 +653,7 @@ var matchTimestamp = /[+-]?\d+(\.\d{1,3})?/; // 123456789 123456789.123
 
 // any word (or two) characters or numbers including two/three word month in arabic.
 // includes scottish gaelic two word and hyphenated months
-var matchWord = /[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i;
+var matchWord = /[0-9]{0,256}['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i;
 
 
 var regexes = {};
  • moment.js+1 1 modified
    @@ -659,7 +659,7 @@ var matchTimestamp = /[+-]?\d+(\.\d{1,3})?/; // 123456789 123456789.123
 
 // any word (or two) characters or numbers including two/three word month in arabic.
 // includes scottish gaelic two word and hyphenated months
-var matchWord = /[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i;
+var matchWord = /[0-9]{0,256}['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i;
 
 
 var regexes = {};
  • src/lib/parse/regex.js+1 1 modified
    @@ -20,7 +20,7 @@ export var matchTimestamp = /[+-]?\d+(\.\d{1,3})?/; // 123456789 123456789.123
 
 // any word (or two) characters or numbers including two/three word month in arabic.
 // includes scottish gaelic two word and hyphenated months
-export var matchWord = /[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i;
+export var matchWord = /[0-9]{0,256}['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i;
 
 
 import hasOwnProp from '../utils/has-own-prop';

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.