CVE-2022-24785

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

### Impact This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale. ### Patches This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive). ### Workarounds Sanitize user-provided locale name before passing it to moment.js. ### References _Are there any links users can visit to find out more?_ ### For more information If you have any questions or comments about this advisory: * Open an issue in [moment repo](https://github.com/moment/moment)

### Impact This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale. ### Patches This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive). ### Workarounds Sanitize user-provided locale name before passing it to moment.js. ### References _Are there any links users can visit to find out more?_ ### For more information If you have any questions or comments about this advisory: * Open an issue in [moment repo](https://github.com/moment/moment)

Moment.js es una librería de fechas en JavaScript para analizar, comprobar, manipular y formatear fechas. Una vulnerabilidad de salto de ruta afecta a usuarios de npm (servidor) de Moment.js entre las versiones 1.0.1 y 2.29.1, especialmente si es usada directamente una cadena de configuración regional proporcionada por el usuario para cambiar la configuración regional de Moment. Este problema está parcheado en la versión 2.29.2, y el parche puede aplicarse a todas las versiones afectadas. Como medida de mitigación, sanee el nombre de la configuración regional proporcionada por el usuario antes de pasarlo a Moment.js