luxon.js inefficient regular expression complexity vulnerability
Description
Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Luxon's DateTime.fromRFC2822() has quadratic complexity leading to ReDoS; patched in versions 1.38.1, 2.5.2, and 3.2.1.
Luxon, a JavaScript date/time library, contains a Regular Expression Denial of Service (ReDoS) vulnerability in its DateTime.fromRFC2822() method. The parsing regex has quadratic (N^2) complexity on specific crafted inputs, causing a noticeable slowdown for strings longer than 10,000 characters [1]. This issue is similar to CVE-2022-31129 in the Moment library [3].
An attacker can exploit this by supplying untrusted data to fromRFC2822(), such as user-provided date strings. No authentication is required; any application that parses RFC2822 dates from external sources is vulnerable. The attack surface is broad, as Luxon is widely used in Node.js and browser environments [4].
Successful exploitation leads to a denial of service (DoS) condition, where the application becomes unresponsive due to excessive CPU consumption. This can disrupt service availability and potentially lead to resource exhaustion [1].
Patches are available in Luxon versions 1.38.1, 2.5.2, and 3.2.1, which fix the regex to prevent quadratic backtracking [2]. As a workaround, users can limit the length of input strings to fromRFC2822() to mitigate the risk [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
luxonnpm | >= 1.0.0, < 1.28.1 | 1.28.1 |
luxonnpm | >= 2.0.0, < 2.5.2 | 2.5.2 |
luxonnpm | >= 3.0.0, < 3.2.1 | 3.2.1 |
Affected products
3- moment/luxonv5Range: >= 1.0.0, < 1.38.1
Patches
11 file changed · +1 −1
src/impl/regexParser.js+1 −1 modified@@ -225,7 +225,7 @@ function extractRFC2822(match) { function preprocessRFC2822(s) { // Remove comments and folding whitespace and replace multiple-spaces with a single space return s - .replace(/\([^)]*\)|[\n\t]/g, " ") + .replace(/\([^()]*\)|[\n\t]/g, " ") .replace(/(\s\s+)/g, " ") .trim(); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-3xq5-wjfh-ppjcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-22467ghsaADVISORY
- github.com/moment/luxon/commit/5ab3bf64a10da929a437629cdb2f059bb83212bfghsax_refsource_MISCWEB
- github.com/moment/luxon/security/advisories/GHSA-3xq5-wjfh-ppjcghsax_refsource_CONFIRMWEB
- github.com/moment/moment/pull/6015ghsax_refsource_MISCWEB
- github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9gghsax_refsource_MISCWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44I3WAJKYXDLOVYRGMHAUXMIV4SPFXDZghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LIVOASKBQH7FEUI5RWM3SOHR6VK7ZZRghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44I3WAJKYXDLOVYRGMHAUXMIV4SPFXDZ/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LIVOASKBQH7FEUI5RWM3SOHR6VK7ZZR/mitre
News mentions
0No linked articles in our index yet.