Security Audit

Moment.js Security Audit

4 known vulnerabilities

Moment.js is a widely used npm package. As of 2026-05-24, there are 4 known vulnerabilities in the OSV database. The latest stable version is 2.30.1. Developers should audit their dependency trees and update to patched versions.

Package Overview

Package
moment
Ecosystem
npm
Latest Version
2.30.1
License
MIT
Description
Parse, validate, manipulate, and display dates
Repository
https://github.com/moment/moment
Homepage
https://momentjs.com

Known Vulnerabilities (4)

ID Severity Score Affected Versions Fixed In Description
CVE-2017-18214 HIGH 7.5 0 to 2.19.3 2.19.3 Regular Expression Denial of Service in moment
CVE-2022-24785 HIGH 7.5 0 to 2.29.2; 0 to 2.29.2 2.29.2 Path Traversal: 'dir/../../filename' in moment.locale
CVE-2022-31129 HIGH 7.5 2.18.0 to 2.29.4; 2.18.0 to 2.29.4 2.29.4 Moment.js vulnerable to Inefficient Regular Expression Complexity
CVE-2016-4055 MODERATE 5.0 0 to 2.11.2 2.11.2 Regular Expression Denial of Service in moment

Security Recommendations

  1. Pin Moment.js to the latest stable version (2.30.1) in your dependency manifest
  2. Enable automated dependency updates with Dependabot or Renovate
  3. Run regular vulnerability scans using npm audit
  4. Review your lock file (.package-lock.json) after every update
  5. Monitor the OSV database and NIST NVD for new advisories

FAQ

Is Moment.js safe to use?
Moment.js is actively maintained and widely used. As of 2026-05-24, there are 4 known vulnerabilities listed in the OSV database. Most have patches available. Keeping your dependencies updated and running regular security audits significantly reduces risk.
What vulnerabilities does Moment.js have?
The OSV database currently lists 4 vulnerabilities for Moment.js. These range in severity and are detailed in the vulnerability table above. Check the linked advisories for full technical details and remediation guidance.
How do I update Moment.js to fix vulnerabilities?
Run npm update moment or npm install moment@latest to get the newest version. Use npm audit to identify vulnerable dependencies in your project. Enable automated updates with Dependabot or Renovate to stay current.

Using AI-Generated Code with Moment.js?

Our vibe coding security audit checks for misconfigurations, exposed secrets and vulnerable dependencies in AI-generated codebases. If your project uses Moment.js, we can verify it is locked to a safe version and properly configured.

Get a Vibe Coding Security Audit

Related Resources