Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CVE-2022-24785
This high-severity CVE scores 7.5 under NVD CVSS v3. EPSS exploit probability: 2.0%, top 16% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
A fix is available — apply it.
- CVSS v3
- 7.5
- EG Score
- 7.5(medium)
- EPSS
- 92.1%
- KEV
- Not listed
Published
April 4, 2022
Last Modified
November 3, 2025
References (15)
- security-advisories@githubhttps://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
- security-advisories@githubhttps://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
- security-advisories@githubhttps://lists.debian.org/debian-lts-announce/2023/01/msg00035.html
- security-advisories@githubhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/
- security-advisories@githubhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/
- security-advisories@githubhttps://security.netapp.com/advisory/ntap-20220513-0006/
- security-advisories@githubhttps://www.tenable.com/security/tns-2022-09
- af854a3a-2127-422b-91ae-364da2661108https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
- af854a3a-2127-422b-91ae-364da2661108https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
- af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html
- af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/
- af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/
- af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20220513-0006/
- af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20241108-0002/
- af854a3a-2127-422b-91ae-364da2661108https://www.tenable.com/security/tns-2022-09
Vendor Advisories for CVE-2022-24785(19)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2025:4437Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.3.13 security update
- RHSA-2025:4226Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.10 on RHEL 7 security update
- RHSA-2023:3642Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Ceph Storage 6.1 Container security and bug fix update
- RHSA-2023:1043Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 7
- RHSA-2023:1049Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update
- RHSA-2023:1047Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 for OpenShift image security and enhancement update
- RHSA-2023:1045Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 9
- RHSA-2023:1044Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 8
- +11 more
Frequently asked(5)
What is CVE-2022-24785?
When was CVE-2022-24785 disclosed?
Is CVE-2022-24785 actively exploited?
What is the CVSS score of CVE-2022-24785?
How do I remediate CVE-2022-24785?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2022-24785
Is Your Infrastructure Affected by CVE-2022-24785?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.