All moment.js CVEs — Complete Vulnerability History
moment.js is a date manipulation library that is now in maintenance mode. The team recommends migrating to date-fns or dayjs for new projects. Its main CVEs are ReDoS vulnerabilities and a SSRF in its date parsing.
npm
20M+ weekly downloads
4 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2016-4055 | 2016 | HIGH | ReDoS via date parsing regex | Fixed 2.11.2 |
| CVE-2017-18214 | 2017 | HIGH | ReDoS via crafted string in moment() | Fixed 2.19.3 |
| CVE-2022-24785 | 2022 | HIGH | Path traversal in locale loading | Fixed 2.29.2 |
| CVE-2022-31129 | 2022 | HIGH | ReDoS in date parsing — moment is deprecated | Fixed 2.29.4 |
Current safe version: 2.29.4
# Before
"moment": "2.29.1"
# After
"moment": "2.29.4"
Then run: npm install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Should I migrate away from moment.js?
Yes — moment.js is in maintenance-only mode. The team recommends date-fns or dayjs for new projects. Both are smaller, tree-shakeable, and actively maintained. Migration is not trivial but worth it for long-lived projects.
Is moment.js still safe to use?
2.29.4 patches all known CVEs. But since it's in maintenance mode, future CVEs may not get fixes. If you're on a long-lived project, plan the migration to date-fns or dayjs.
What's the easiest moment.js replacement?
dayjs has an almost identical API to moment.js and is a near drop-in replacement. date-fns is more comprehensive but uses a different functional API. Start with dayjs if API compatibility matters.