CVE-2016-4055 Momentjs CVE debrief

Who should care

Teams running Node.js applications that parse untrusted duration input with Moment.js, plus operators of products that NVD maps to this CVE, including Tenable Nessus and Oracle Primavera Unifier.

Technical summary

NVD describes the flaw as a ReDoS in the duration function in moment package versions before 2.11.2. The published CVSS v3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a remotely reachable denial-of-service condition that primarily affects availability. NVD also lists vulnerable CPE criteria for Moment.js itself and for downstream products Tenable Nessus (through 8.2.3) and Oracle Primavera Unifier (16.0 through 18.8.4).

Defensive priority

Medium, and higher for exposed services that accept user-controlled duration strings or for products explicitly listed as affected by NVD.

Recommended defensive actions

• Upgrade Moment.js to 2.11.2 or later wherever it is directly used.
• Inventory Node.js services and libraries that rely on Moment.js duration parsing, especially where input is attacker-controlled.
• Add input validation, length limits, and request or parse timeouts around duration handling paths.
• Monitor for CPU spikes or request slowdowns that could indicate regex backtracking abuse.
• Patch or verify vendor guidance for any downstream products NVD maps to this CVE, including Tenable Nessus and Oracle Primavera Unifier, based on the affected versions listed in NVD.

Evidence notes

The supplied NVD metadata states that Moment.js before 2.11.2 is vulnerable to a ReDoS caused by long strings in the duration function. NVD also provides the CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and CWE-400. The record further lists vulnerable CPE criteria for momentjs:moment, Tenable Nessus through 8.2.3, and Oracle Primavera Unifier 16.0 through 18.8.4. No CISA KEV entry was supplied in the corpus.

Official resources