CVE-2022-24785

HIGH EXPLOITED

Moment < 2.29.2 - Path Traversal

Title source: rule

Description

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Exploits (1)

nomisec WORKING POC 1 stars
by pS3ud0RAnD0m · poc
https://github.com/pS3ud0RAnD0m/cve-2022-24785-poc-lab

References (8)

Scores

CVSS v3 7.5
EPSS 0.0226
EPSS Percentile 84.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

VulnCheck KEV 2024-07-25
CWE
CWE-22 CWE-27
Status published
Products (8)
debian/debian_linux 10.0
fedoraproject/fedora 35
fedoraproject/fedora 36
momentjs/moment 1.0.1 - 2.29.2 (2 CPE variants)
netapp/active_iq
npm/moment 0 - 2.29.2npm
nuget/Moment.js 0 - 2.29.2NuGet
tenable/tenable.sc < 5.21.0
Published Apr 04, 2022
Tracked Since Feb 18, 2026