{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2022-24785","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","dateUpdated":"2025-11-03T21:46:06.689Z","dateReserved":"2022-02-10T00:00:00.000Z","datePublished":"2022-04-04T00:00:00.000Z"},"containers":{"cna":{"title":"Path Traversal in Moment.js","providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2023-01-31T00:00:00.000Z"},"descriptions":[{"lang":"en","value":"Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js."}],"affected":[{"vendor":"moment","product":"moment","versions":[{"version":">= 1.0.1, < 2.29.2","status":"affected"}]}],"references":[{"url":"https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"},{"url":"https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5"},{"url":"https://www.tenable.com/security/tns-2022-09"},{"url":"https://security.netapp.com/advisory/ntap-20220513-0006/"},{"name":"FEDORA-2022-85aa8e5706","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/"},{"name":"FEDORA-2022-35b698150c","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/"},{"name":"[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update","tags":["mailing-list"],"url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","cweId":"CWE-22"}]},{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-27: Path Traversal: 'dir/../../filename'","cweId":"CWE-27"}]}],"source":{"advisory":"GHSA-8hfj-j24r-96c4","discovery":"UNKNOWN"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4","tags":["x_transferred"]},{"url":"https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5","tags":["x_transferred"]},{"url":"https://www.tenable.com/security/tns-2022-09","tags":["x_transferred"]},{"url":"https://security.netapp.com/advisory/ntap-20220513-0006/","tags":["x_transferred"]},{"name":"FEDORA-2022-85aa8e5706","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/"},{"name":"FEDORA-2022-35b698150c","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/"},{"name":"[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update","tags":["mailing-list","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html"},{"url":"https://security.netapp.com/advisory/ntap-20241108-0002/"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T21:46:06.689Z"}},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-04-23T15:56:10.022369Z","id":"CVE-2022-24785","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-04-23T18:42:13.669Z"}}]}}