Debian 10034 Published by

A node-moment security update has been released for Debian GNU/Linux 10 LTS to address a couple of vulnerabilities.

DLA 3295-1: node-moment security update

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-3295-1 Utkarsh Gupta
January 31, 2023
- -----------------------------------------------------------------------

Package : node-moment
Version : 2.24.0+ds-1+deb10u1
CVE ID : CVE-2022-24785 CVE-2022-31129
Debian Bug : 1009327 1014845

Moment.js is a JavaScript date library for parsing, validating,
manipulating, and formatting dates. A couple of vulnerabilities
were reported as follows:


A path traversal vulnerability impacts npm (server) users of
Moment.js, especially if a user-provided locale string is directly
used to switch moment locale.


Affected versions of moment were found to use an inefficient
parsing algorithm. Specifically using string-to-date parsing in
moment (more specifically rfc2822 parsing, which is tried by
default) has quadratic (N^2) complexity on specific inputs. Users
may notice a noticeable slowdown is observed with inputs above 10k
characters. Users who pass user-provided strings without sanity
length checks to moment constructor are vulnerable to (Re)DoS

For Debian 10 buster, these problems have been fixed in version

We recommend that you upgrade your node-moment packages.

For the detailed security status of node-moment please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: