CVE-2022-24785

HIGH EXPLOITED

Moment.js 1.0.1-2.29.1 - Path Traversal via Locale Switching

Title source: llm

Exploitation Summary

CVE-2022-24785 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including pS3ud0RAnD0m.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2022-24785, a path traversal vulnerability in Moment.js. The Node.js Express app demonstrates the vulnerability by allowing arbitrary locale file inclusion via the `localeId` parameter.

Description

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Exploits (1)

nomisec WORKING POC 1 stars

by pS3ud0RAnD0m · poc

https://github.com/pS3ud0RAnD0m/cve-2022-24785-poc-lab

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2022-24785, a path traversal vulnerability in Moment.js. The Node.js Express app demonstrates the vulnerability by allowing arbitrary locale file inclusion via the `localeId` parameter.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Moment.js versions prior to 2.29.2

No auth needed

Prerequisites: Network access to the vulnerable application · Moment.js version < 2.29.2

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8

Core References

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/

Mailing List, Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html

Patch

https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5

View Patch ZIP pw:eip

Vendor Advisory

https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220513-0006/

Patch, Release Notes, Third Party Advisory

https://www.tenable.com/security/tns-2022-09

Vendor Advisory

https://security.netapp.com/advisory/ntap-20241108-0002/

Scores

CVSS v3 7.5

EPSS 0.0167

EPSS Percentile 82.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2024-07-25

CWE

CWE-22 CWE-27

Status published

Products (8)

debian/debian_linux 10.0

fedoraproject/fedora 35

fedoraproject/fedora 36

momentjs/moment 1.0.1 - 2.29.2 (2 CPE variants)

netapp/active_iq

npm/moment 0 - 2.29.2npm

nuget/Moment.js 0 - 2.29.2NuGet

tenable/tenable.sc < 5.21.0

Published Apr 04, 2022

Tracked Since Feb 18, 2026