Debian Security Advisory

DLA-3295-1 node-moment -- LTS security update

Date Reported:
31 Jan 2023
Affected Packages:
node-moment
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 1009327, Bug 1014845.
In Mitre's CVE dictionary: CVE-2022-24785, CVE-2022-31129.
More information:

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A couple of vulnerabilities were reported as follows:

  • CVE-2022-24785

    A path traversal vulnerability impacts npm (server) users of Moment.js, especially if a user-provided locale string is directly used to switch moment locale.

  • CVE-2022-31129

    Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks.

For Debian 10 buster, these problems have been fixed in version 2.24.0+ds-1+deb10u1.

We recommend that you upgrade your node-moment packages.

For the detailed security status of node-moment please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-moment

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS