CVE-2022-24785 Overview
Moment.js is a widely-used JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability (CWE-22) affects npm (server) users of Moment.js between versions 1.0.1 and 2.29.1. This vulnerability is particularly dangerous when a user-provided locale string is directly used to switch the moment locale, allowing attackers to traverse the file system and potentially access or include arbitrary files.
Critical Impact
Attackers can exploit user-controlled locale input to perform path traversal attacks on Node.js servers, potentially leading to information disclosure or arbitrary file access through directory traversal sequences.
Affected Products
- Momentjs Moment (versions 1.0.1 through 2.29.1)
- Tenable Tenable.sc
- NetApp Active IQ
- Fedora 35 and 36
- Debian Linux 10.0
Discovery Timeline
- 2022-04-04 - CVE-2022-24785 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2022-24785
Vulnerability Analysis
This path traversal vulnerability exists in the locale loading mechanism of Moment.js. When applications allow user-supplied input to determine which locale file to load, the library fails to properly sanitize the input before constructing file system paths. This oversight enables attackers to inject path traversal sequences (such as ../) into locale names, causing the application to load arbitrary files from the server's file system rather than legitimate locale files.
The vulnerability is accessible via network without requiring authentication or user interaction. The primary security impact is to data integrity, as attackers can potentially manipulate which files are loaded and processed by the application.
Root Cause
The root cause is insufficient input validation in the locale loading functionality. Prior to the patch, Moment.js did not validate that locale names were safe filesystem identifiers. The library would accept locale strings containing path separator characters (/ or \), allowing attackers to escape the intended locale directory and access files elsewhere on the filesystem.
Attack Vector
The attack targets Node.js server-side applications that pass user-controlled input directly to Moment.js locale switching functions. An attacker can craft malicious locale strings containing directory traversal sequences to access files outside the designated locale directory. For example, a request with a locale parameter like ../../etc/passwd could potentially cause the server to attempt loading sensitive system files.
The security patch implemented in version 2.29.2 adds validation to reject any locale name containing path separator characters:
return globalLocale;
}
+function isLocaleNameSane(name) {
+ // Prevent names that look like filesystem paths, i.e contain '/' or '\\'
+ return name.match('^[^/\\\\]*$') != null;
+}
+
function loadLocale(name) {
var oldLocale = null,
aliasedRequire;
Source: GitHub Commit Details
Detection Methods for CVE-2022-24785
Indicators of Compromise
- HTTP requests containing path traversal sequences (../, ..\\) in locale-related parameters
- Application logs showing attempts to load locale files from unexpected directories
- Error messages indicating failed file access attempts outside the locale directory
- Unusual file system access patterns from Node.js application processes
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in request parameters
- Monitor application logs for locale loading errors that reference paths outside the expected locale directory
- Use software composition analysis (SCA) tools to identify vulnerable Moment.js versions in your codebase
- Deploy runtime application self-protection (RASP) solutions to detect file system access anomalies
Monitoring Recommendations
- Enable verbose logging for locale-related operations in applications using Moment.js
- Set up alerts for repeated failed locale loading attempts from the same source
- Monitor dependency scanning reports for vulnerable Moment.js versions across your organization
- Track network requests containing suspicious locale parameter values
How to Mitigate CVE-2022-24785
Immediate Actions Required
- Upgrade Moment.js to version 2.29.2 or later immediately
- Audit all code paths where user input is passed to Moment.js locale functions
- Implement input validation to sanitize locale names before passing to Moment.js
- Review application logs for any evidence of exploitation attempts
Patch Information
The vulnerability is patched in Moment.js version 2.29.2. The fix can also be backported to earlier versions. The patch adds a validation function isLocaleNameSane() that rejects any locale name containing forward slashes (/) or backslashes (\), preventing path traversal attacks.
For detailed patch information, see the GitHub Security Advisory and the GitHub Commit Details.
Additional vendor advisories:
Workarounds
- Sanitize user-provided locale names by removing or rejecting any input containing / or \ characters
- Use an allowlist of valid locale names and reject any input not matching the list
- Avoid passing user-controlled input directly to Moment.js locale switching functions
- Consider migrating to alternative date libraries with active maintenance and security support
# Example input sanitization in Node.js before passing to Moment.js
# Validate locale matches expected format (alphanumeric and hyphens only)
VALID_LOCALE_PATTERN="^[a-zA-Z]{2,3}(-[a-zA-Z]{2,4})?$"
# Reject any locale containing path separators
echo "$locale" | grep -E "^[^/\\\\]*$" || exit 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
