This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr
is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
github.com/moment/moment
github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
lists.debian.org/debian-lts-announce/2023/01/msg00035.html
lists.fedoraproject.org/archives/list/[email protected]/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q
lists.fedoraproject.org/archives/list/[email protected]/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5
nvd.nist.gov/vuln/detail/CVE-2022-24785
security.netapp.com/advisory/ntap-20220513-0006
www.tenable.com/security/tns-2022-09