CVE-2022-24785 - A Simple Guide to the Path Traversal Vulnerability in Moment.js

Moment.js is one of the most popular JavaScript libraries for parsing, validating, manipulating, and formatting dates. Many Node.js and JavaScript applications use it for handling dates and times. However, in March 2022, a security flaw—CVE-2022-24785—was disclosed, affecting how Moment.js handles locale data. This vulnerability could let attackers break out of the locale directory on the server, potentially leading to unauthorized file access.

In this exclusive guide, let’s break down what CVE-2022-24785 is, how it can be exploited, how to fix it, and what simple steps you can take to protect your apps.

What is CVE-2022-24785?

CVE-2022-24785 is a _path traversal_ vulnerability in Moment.js server-side code. In simple terms, path traversal means an attacker can trick your app into opening files they should not be able to access—just by crafting special input.

This issue affects all Moment.js versions from 1..1 up to 2.29.1. The main risk appears if your code takes user input directly as a locale identifier, for example:

// Dangerous: passing user input to moment.locale()
const locale = req.query.locale; // user-provided value
moment.locale(locale);           // unsafe if not sanitized

If an attacker provides something like ../../../../etc/passwd as the locale, Moment.js could try to load files outside its expected locale folder.

How Does the Vulnerability Work?

Whenever you call moment.locale(localeName) in Node.js, Moment.js tries to load a file describing that locale (locale/localeName.js). If you don’t check what the user provides, they can supply a string containing parent directory traversal (../), so Node might try to load files anywhere on the file system.

Example of a Malicious Request

/api/date?locale=../../../../etc/passwd

If your route looks like

app.get('/api/date', (req, res) => {
  const userLocale = req.query.locale;
  moment.locale(userLocale); // <-- Vulnerable!
  res.send(moment().format('LLLL'));
});

This could let the user force your server to read arbitrary files—perhaps exposing sensitive data or crashing your app.

Suppose you have a REST API endpoint as above. An attacker can directly exploit this

GET /api/date?locale=../../../../etc/passwd HTTP/1.1
Host: yourserver.com

If the file /etc/passwd exists and is readable by your process, Moment.js will try to load it as a JavaScript locale file, potentially exposing its contents or throwing an application error.

References

- GitHub Advisory for CVE-2022-24785
- NIST National Vulnerability Database
- Moment.js Changelog

How Was This Fixed?

Version 2.29.2 of Moment.js patched this issue. The patch added stricter checks to make sure only safe, valid locale names are allowed. The code now validates the input, stopping any attempts to use path traversal.

Upgrade to Moment.js v2.29.2 or later.

- If you’re using an older version and cannot upgrade, sanitize user input before passing it to moment.locale().


## How to Fix/Sanitize User Input

You should make sure the locale string contains only expected values (like en, fr, es, etc.). Here’s one way to do that:

// List of allowed locales (can be expanded as needed)
const ALLOWED_LOCALES = ['en', 'fr', 'es', 'de', 'zh', 'it', 'ja'];

// Safe: validate user input before passing to moment.locale()
let userLocale = req.query.locale;
if (!ALLOWED_LOCALES.includes(userLocale)) {
  userLocale = 'en'; // Default fallback locale
}
moment.locale(userLocale);

Alternatively, use a regular expression to validate input (only letters and hyphens)

let userLocale = req.query.locale;
if (!/^[a-zA-Z-]+$/.test(userLocale)) {
  userLocale = 'en';
}
moment.locale(userLocale);

Summary Table

| Moment.js Version | Vulnerable? | Fix Status    |
|-------------------|-------------|--------------|
| 1..1 – 2.29.1    | Yes         | Patch needed |
| 2.29.2+           | No          | Safe         |

Conclusion

CVE-2022-24785 highlights a classic web security problem: trusting user input without checks, especially when it influences file paths on the server. Upgrading libraries and writing secure code—like sanitizing locale names—are simple steps that can prevent major vulnerabilities.

It’s always smart to keep your dependencies updated and review any area where user input is used for file operations. If you use Moment.js on the server and accept a user locale parameter, check your code today!

Stay safe, and happy coding!

*For more details, check Moment.js's official advisory and NVD entry.*

Timeline

Published on: 04/04/2022 17:15:00 UTC
Last modified on: 07/30/2022 02:50:00 UTC