Description
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
Recommendation
Update the moment package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.29.2
- Patched version(s): 2.29.2
References
- GHSA-8hfj-j24r-96c4
- www.tenable.com
- lists.debian.org
- lists.fedoraproject.org
- security.netapp.com
- CVE-2022-24785
- CWE-22
- CWE-27
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read - CVE-2026-40163
- Directory Traversal vulnerability in serve-lite - CVE-2022-21192
- Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling - CVE-2026-39365
- SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory - CVE-2026-34522
You might also like:
- Tags:
- npm
- moment
Anything's wrong? Let us know Last updated on November 04, 2025