cbcvebase.
CVE-2022-24785
published 2022-04-04

CVE-2022-24785: Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users…

PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
5.66%
92.0th percentile
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Affected

10 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiannode-moment< node-moment 2.29.2+ds-1 (bookworm)node-moment 2.29.2+ds-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
ghostghost>= 0 < 4.48.24.48.2
ghostghost>= 5.0.0 < 5.2.35.2.3
momentmoment
momentmoment>= 0 < 2.29.22.29.2
momentjsmoment>= 1.0.1 < 2.29.22.29.2
tenabletenable.sc< 5.21.05.21.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect vulnerable Moment.js versions (1.0.1 through 2.29.1) loaded in web applications; flag any version below 2.29.2 as potentially exploitable for path traversal via locale parameter
  • Look for user-controlled input flowing into the Moment.js locale() function's name parameter on the server side — this is the specific taint path exploited by CVE-2022-24785
  • Flag taint flows where a parameter named 'locale' (or similar) from an HTTP request reaches a file path resolution context in Node.js/npm server-side Moment.js usage
  • Use Qualys WAS QID 151025 as a detection reference for identifying vulnerable Moment.js deployments associated with CVE-2022-24785
  • ·Vulnerability only affects npm (server-side) users of Moment.js; client-side browser-only usage is not impacted by this path traversal
  • ·Exploitation requires that a user-provided locale string is passed directly to Moment.js without sanitization; applications that sanitize locale input before passing it to Moment.js are not exploitable
  • ·The vulnerability was not intentional but a consequence of sloppy coding practices — nothing in the API name or documentation signals the security-sensitive file path behavior, meaning many integrations may unknowingly pass untrusted data to the locale function

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.