High severityNVD Advisory· Published Apr 4, 2022· Updated Nov 3, 2025

Path Traversal in Moment.js

CVE-2022-24785

Description

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Moment.js npm versions 1.0.1 to 2.29.1 allow path traversal via unsanitized user locale strings, risking file disclosure.

Vulnerability

Moment.js versions 1.0.1 to 2.29.1 contain a path traversal vulnerability in the npm package. If a user-controlled locale string is passed directly to Moment.js locale functions, an attacker can traverse directories and read arbitrary files on the server filesystem [1].

Exploitation

An attacker must supply a malicious locale string (e.g., ../../../etc/passwd) to an application that uses Moment.js and passes the string unsanitized to locale-switching methods. No authentication is required if the application exposes this functionality publicly [1].

Impact

Successful exploitation allows an attacker to read arbitrary files on the server, leading to information disclosure of sensitive data such as configuration files, credentials, or source code [1].

Mitigation

The vulnerability is fixed in Moment.js 2.29.2 [1]. Users should upgrade to this version or later. As a workaround, sanitize user-provided locale names before passing them to Moment.js [1]. Tenable.sc 5.21.0 includes the patched version [2].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
momentnpm	< 2.29.2	2.29.2
Moment.jsNuGet	< 2.29.2	2.29.2

Affected products

Moment.js/momentllm-fuzzy
Range: >=1.0.1 <=2.29.1
ghsa-coords2 versions
pkg:npm/moment pkg:nuget/moment.js
< 2.29.2+ 1 more
- (no CPE)range: < 2.29.2
- (no CPE)range: < 2.29.2
moment/momentv5
Range: >= 1.0.1, < 2.29.2

Patches

4211bfc8f157

[bugfix] Avoid loading path-looking locales from fs

https://github.com/moment/momentIskren ChernevMar 27, 2022via ghsa

commit

1 file changed · +7 −1

src/lib/locale/locales.js+7 −1 modified

@@ -62,6 +62,11 @@ function chooseLocale(names) {
     return globalLocale;
 }
 
+function isLocaleNameSane(name) {
+    // Prevent names that look like filesystem paths, i.e contain '/' or '\'
+    return name.match('^[^/\\\\]*$') != null;
+}
+
 function loadLocale(name) {
     var oldLocale = null,
         aliasedRequire;
@@ -70,7 +75,8 @@ function loadLocale(name) {
         locales[name] === undefined &&
         typeof module !== 'undefined' &&
         module &&
-        module.exports
+        module.exports &&
+        isLocaleNameSane(name)
     ) {
         try {
             oldLocale = globalLocale._abbr;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000