CVE-2022-24785: 
JavaScript vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2022-24785) was discovered in Moment.js, a JavaScript date library for parsing, validating, manipulating, and formatting dates. The vulnerability affects versions between 1.0.1 and 2.29.1, particularly impacting npm (server) users when a user-provided locale string is directly used to switch moment locale. The issue was patched in version 2.29.2 (GitHub Advisory, NVD).

The vulnerability is classified as a path traversal issue (CWE-22, CWE-27) with a CVSS v3.1 base score of 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). The issue occurs when handling user-provided locale strings, where insufficient validation could allow an attacker to traverse directories through the locale parameter (GitHub Advisory).

Successful exploitation of this vulnerability could lead to addition or modification of data through path traversal. The vulnerability allows attackers to potentially access or modify files outside the intended directory structure when processing locale strings (NetApp Advisory).

The primary mitigation is to upgrade to Moment.js version 2.29.2 which contains the fix for this vulnerability. As a workaround, if upgrading is not immediately possible, users should sanitize any user-provided locale name before passing it to Moment.js (GitHub Advisory, Debian Advisory).

Multiple organizations and vendors responded to this vulnerability by releasing security advisories and patches, including NetApp, Tenable, and various Linux distributions. Debian included this fix in their security updates, and Fedora released updated packages to address the vulnerability (Debian Advisory, Fedora Update).