Security Vulnerability on moment.updateLocale

[davallen]

We have been flagged in multiple repos about the moment.updateLocale() function.

Guidance: - Calls to moment.updateLocale will slowly increase memory usage that is intentionally never freed, which can result in resource exhaustion.

It does not provide guidance on a particular version that this issue might have been fixed within. We are currently using 2.22.2.

Is there a version where this has been fixed? If not, is there a plan in place to address this issue?

[davallen]

Any comment on this issue? This is a high priority for us.

[attritionorg]

tag @ichernev

[ichernev]

So if you have a java script array [] and call .push() on it, the memory keeps growing and is never reclaimed. So a malicious actor with access to .push() can wreck havoc and cause DoS.

updateLocale can be called with null as a second argument which undoes the update. It acts exactly like array push/pop.

May you elaborate what exactly is the issue here, because my simple mind can't comprehend it.

[davallen]

Thanks for the reply. I am working with my internal open source team to understand better why they flagged this as a security issue.

[davallen]

Looks like it was mitigated in later version of package.