Description
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
Recommendation
Update the moment package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.29.2
- Patched version(s): 2.29.2
References
- GHSA-8hfj-j24r-96c4
- www.tenable.com
- lists.debian.org
- lists.fedoraproject.org
- security.netapp.com
- CVE-2022-24785
- CWE-22
- CWE-27
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Path Traversal in http-server-node - CVE-2021-23797
- Path Traversal in html-pages - CVE-2018-3744
- React Router has Path Traversal in File Session Storage (GHSA-9583-h5hc-x8cw) - CVE-2025-61686
- static-server Path Traversal vulnerability - CVE-2023-26152
- Tags:
- npm
- moment
Anything's wrong? Let us know Last updated on November 04, 2025