Description
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
Recommendation
Update the moment package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.29.2
- Patched version(s): 2.29.2
References
- GHSA-8hfj-j24r-96c4
- www.tenable.com
- lists.debian.org
- lists.fedoraproject.org
- security.netapp.com
- CVE-2022-24785
- CWE-22
- CWE-27
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Path Traversal in simplehttpserver - CVE-2018-16478
- Path Traversal in html-pages - CVE-2018-3744
- Path traversal in rollup-plugin-serve - CVE-2020-7684
- @mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools - CVE-2026-33989
- Tags:
- npm
- moment
Anything's wrong? Let us know Last updated on November 04, 2025