Description
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
Recommendation
Update the moment package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.29.2
- Patched version(s): 2.29.2
References
- GHSA-8hfj-j24r-96c4
- www.tenable.com
- security.netapp.com
- lists.fedoraproject.org
- lists.debian.org
- CVE-2022-24785
- CWE-22
- CWE-27
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) 4 - CVE-2019-10744
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) 2 - CVE-2019-10744
- Passbolt Browser Extension leaks password information - CVE-2024-33669
- JSONata expression can pollute the "Object" prototype - CVE-2024-27307
- Tags:
- npm
- moment
Anything's wrong? Let us know Last updated on November 29, 2023