GHSA-56x4-j7p9-fcf9: 
JavaScript vulnerability analysis and mitigation

A command injection vulnerability was discovered in moment-timezone affecting versions 0.1.0 through 0.5.34. The vulnerability exists in the build tasks of the tzdata pipeline, where unsanitized user input could lead to arbitrary command execution when building custom versions of moment-timezone with grunt (GitHub Advisory).

The vulnerability stems from three main components in the build pipeline: data-download.js, data-zdump.js, and data-zic.js. These scripts use Node.js's exec function without proper input sanitization, allowing command injection through version parameters and file paths. The vulnerability is tracked as GHSA-56x4-j7p9-fcf9 and is rated as Low severity. The issue occurs when using grunt commands like 'grunt data:2014d' where the version parameter can be manipulated to include malicious commands (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary commands on the machine running the grunt task with the same privileges as the grunt task itself. This only affects users who build custom versions of moment-timezone with grunt and allow third parties to specify which particular version to build (GitHub Advisory).

The vulnerability has been patched in version 0.5.35. The fix involves switching from exec to execFile in Node.js, which prevents arbitrary bash fragments from being executed. The patch is applicable with minor tweaks to all affected versions (GitHub Commit).