SCA: security update for Moment.js, moment (GHSA-wc69-rhjr-hc9g)

high Tenable Self-Hosted Container Security Plugin ID 419860

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected
versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date
parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2)
complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k
characters. Users who pass user-provided strings without sanity length checks to moment constructor are
vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected
versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider
limiting date lengths accepted from user input. (CVE-2022-31129)

See Also

https://github.com/advisories/GHSA-wc69-rhjr-hc9g

Plugin Details

Severity: High

ID: 419860

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2022-31129

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/6/2022

Vulnerability Publication Date: 7/6/2022

Reference Information

CVE: CVE-2022-31129