GitHub Advisory DatabaseGHSA-HHQ3-FF78-JV3G

HistoryOct 12, 2022 - 12:00 p.m.

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)

2022-10-1212:00:27

CWE-400

CWE-1333

GitHub Advisory Database

github.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.003 Low

EPSS

Percentile

69.8%

JSON

A regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils via the resourcePath variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.

Affected configurations

Vulners

Node

loaderutilsRange<3.2.1

loaderutilsRange<2.0.4

loaderutilsRange<1.4.2

CPENameOperatorVersion
loader-utilslt3.2.1
loader-utilslt2.0.4
loader-utilslt1.4.2

Name	Operator	Version
loader-utils	lt	3.2.1
loader-utils	lt	2.0.4
loader-utils	lt	1.4.2

References

github.com/advisories/GHSA-hhq3-ff78-jv3g

github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38

github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L83

github.com/webpack/loader-utils/commit/17cbf8fa8989c1cb45bdd2997aa524729475f1fa

github.com/webpack/loader-utils/commit/ac09944dfacd7c4497ef692894b09e63e09a5eeb

github.com/webpack/loader-utils/commit/d2d752d59629daee38f34b24307221349c490eb1

github.com/webpack/loader-utils/issues/211

github.com/webpack/loader-utils/issues/216

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ

nvd.nist.gov/vuln/detail/CVE-2022-37599

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.003 Low

EPSS

Percentile

69.8%

JSON

Related for GHSA-HHQ3-FF78-JV3G