VulWall Team February 18, 2026 4 min read

Outdated Date Library Can Be Used to Slow Down or Freeze Your Application

Your application uses an old version of Moment.js, a popular JavaScript tool for handling dates and times. This version has a known flaw where a specially crafted date string can cause the server to get stuck processing it, making your app slow or unresponsive for other users. Think of it like a trick question that causes a calculator to spin forever — it doesn't break the calculator, but it stops it from doing anything else.

OWASP A06 Effort: small Exploitable
redos denial-of-service moment.js javascript npm cve regex frontend backend nodejs

Business Impact And Actions

medium urgency

Business Impact

If your app accepts date input from users (e.g., date pickers, search filters, API fields) and passes it directly to Moment.js, an attacker could deliberately trigger this slowdown. The practical risk is temporary service disruption — your app becomes slow or unavailable for legitimate users. There is no risk of data theft or account compromise from this specific issue. This may also flag in compliance or vendor security reviews as an unpatched known vulnerability.

What To Do

  1. Ask your developer to check which version of Moment.js your app uses and upgrade it to version 2.19.3 or higher — this is typically a 30-minute task.
  2. If your app accepts date values typed or submitted by users, ask your developer to validate that input before it's processed — only accept properly formatted dates.
  3. Consider whether Moment.js is still needed at all: it is no longer actively developed. Your developer may recommend switching to a modern alternative like Day.js or the built-in JavaScript date tools.
  4. Once the update is done, ask your developer to confirm the new version is deployed in your live environment, not just in development.

Moment.js < 2.19.3 ReDoS via Crafted Date String (CVE-2017-18214)

medium severity CVSS 7.5

Vulnerability Explanation

Moment.js versions before 2.19.3 contain a vulnerable regular expression used during string-based date parsing. The regex `/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i` is susceptible to catastrophic backtracking. When a specially crafted string is passed to `moment()`, the regex engine enters exponential backtracking, consuming CPU and blocking Node.js's single-threaded event loop. While one thread is stuck, no other requests can be processed, effectively causing a denial of service. Exploitation requires that user-controlled input reaches a `moment()` call without prior sanitisation.

Root Cause

The vulnerable regex uses nested quantifiers and alternation patterns that allow the regex engine to explore an exponential number of possible match paths when given a pathological input. This is a classic ReDoS (Regular Expression Denial of Service) pattern — the regex was not designed with adversarial input in mind.

Technical Impact

An unauthenticated remote attacker who can supply a crafted date string to any endpoint that calls `moment(userInput)` can block the Node.js event loop for seconds to minutes per request, causing denial of service for all concurrent users. No data is exposed and no code is executed — the impact is limited to availability (CVSS:3.0 A:H, C:N, I:N).

Severity Justification

CVSS 3.0 Base Score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) per IBM X-Force and NVD. However, exploitability is conditional: the vulnerability is only triggerable if user-controlled input is passed directly to moment() without validation. Snyk rates the practical severity lower (3.7) due to this precondition. Assessed here as medium given the realistic but conditional exploitability.

Affected Components

  • moment.js < 2.19.3

Remediation Steps

  1. Upgrade moment.js to version 2.19.3 or later: `npm install moment@latest` or `yarn add moment@latest`. Pin the version in package.json.
  2. If you cannot upgrade immediately, add input validation before any `moment(userInput)` call — reject strings that are not recognisable date formats (e.g., validate against a strict regex or use a whitelist of accepted formats via `moment(input, 'YYYY-MM-DD', true)` with strict mode enabled).
  3. Audit all usages of `moment()` in your codebase to identify locations where user-supplied strings are passed without a format argument. Prefer `moment(input, format, true)` (strict mode) over `moment(input)` to avoid the vulnerable auto-detection path.
  4. Consider migrating away from Moment.js entirely — it is in maintenance mode and no longer actively developed. Lightweight alternatives such as Day.js (API-compatible) or Luxon are actively maintained and do not carry this legacy debt.
  5. After upgrading, run `npm audit` or `yarn audit` to confirm no remaining known vulnerabilities are reported for moment.

Verification Steps

  1. Run `npm list moment` or `yarn list moment` to confirm the installed version is 2.19.3 or higher.
  2. Run `npm audit` and verify CVE-2017-18214 no longer appears in the output.
  3. In a safe test environment, call `moment('(' .repeat(10000))` and confirm it returns quickly (under 100ms) rather than hanging.

Code Examples (javascript)

Vulnerable
// Vulnerable: user input passed directly to moment() with no format
const date = moment(req.query.date);
if (date.isValid()) { /* ... */ }
Fixed
// Fixed option 1: upgrade to moment >= 2.19.3 AND use strict mode with explicit format
const date = moment(req.query.date, 'YYYY-MM-DD', true);
if (date.isValid()) { /* ... */ }

// Fixed option 2: migrate to Day.js (moment-compatible API, actively maintained)
const dayjs = require('dayjs');
const customParseFormat = require('dayjs/plugin/customParseFormat');
dayjs.extend(customParseFormat);
const date = dayjs(req.query.date, 'YYYY-MM-DD', true);
if (date.isValid()) { /* ... */ }

Best Practices

  • Always pass a format string and enable strict mode when parsing user-supplied dates: `moment(input, 'YYYY-MM-DD', true)`.
  • Validate and sanitise date inputs at the API boundary before they reach any date-parsing library.
  • Include third-party JavaScript libraries in your dependency audit pipeline (e.g., `npm audit` in CI) so outdated packages are caught before they reach production.
  • When a library enters maintenance mode, schedule a migration to an actively maintained alternative during your next planned refactoring cycle.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base