CVE-2023-22467: 
JavaScript vulnerability analysis and mitigation

Luxon, a JavaScript library for working with dates and times, was found to contain a vulnerability (CVE-2023-22467) affecting multiple versions: 1.x branch prior to 1.38.1, 2.x branch prior to 2.5.2, and 3.x branch on 3.2.1. The vulnerability was discovered in the DateTime.fromRFC2822() method, which exhibited quadratic (N^2) complexity on specific inputs (GitHub Advisory).

The vulnerability stems from inefficient regular expression complexity in the DateTime.fromRFC2822() method. The issue causes noticeable performance degradation when processing inputs with lengths exceeding 10,000 characters. The vulnerability is related to the same issue found in Moment.js as CVE-2022-31129. The CVSS v3.1 base score is 7.5 (High), with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can lead to Regular Expression Denial of Service (ReDoS) attacks. Users who provide untrusted data to the DateTime.fromRFC2822() method are vulnerable to these attacks, which can cause significant performance issues and potential denial of service conditions (GitHub Advisory).

The vulnerability has been patched in versions 1.38.1, 2.5.2, and 3.2.1. As a workaround, users are advised to limit the length of input provided to the DateTime.fromRFC2822() method. Organizations should upgrade to the patched versions to ensure protection against this vulnerability (NVD).