PT-2022-16878 · Npm+4 · Moment.Js+5

Ichernev

Published

2022-04-04

Updated

2026-06-04

CVE-2022-24785

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions Moment.js versions 1.0.1 through 2.29.1

Description A path traversal vulnerability impacts npm (server) users of Moment.js, especially if a user-provided locale string is directly used to switch moment locale. This issue allows an unauthenticated attacker to provide a filesystem path as invalid input. The problem is patched in version 2.29.2.

Recommendations For versions 1.0.1 through 2.29.1, update to version 2.29.2 to resolve the issue. As a temporary workaround, sanitize the user-provided locale name before passing it to Moment.js.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-27CWE-22

Related Identifiers

BDU:2026-00718

CVE-2022-24785

DLA-3295-1

GHSA-8HFJ-J24R-96C4

MGASA-2022-0323

MGASA-2024-0067

RHSA-2022:4918

RHSA-2022:4919

RHSA-2022:6272

RHSA-2022:6277

RHSA-2023:0076

RHSA-2023:1043

RHSA-2023:1044

RHSA-2023:1045

RHSA-2025:4226

RHSA-2025:4437

USN-5559-1

Affected Products

Astra Linux

Bitbucket

Confluence

Linuxmint

Moment.Js

Ubuntu

PT-2022-16878 · Npm+4 · Moment.Js+5

CVE-2022-24785

Weakness Enumeration

Related Identifiers

Affected Products

References · 64