Lucene search

GitHub Advisory DatabaseGHSA-3RFM-JHWJ-7488

HistoryOct 14, 2022 - 7:00 p.m.

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable

2022-10-1419:00:38

CWE-1333

GitHub Advisory Database

github.com

loader-utils

redos

vulnerability

patched

interpolatename

webpack

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.007 Low

EPSS

Percentile

80.3%

JSON

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.

Affected configurations

Vulners

Node

loaderutilsRange<3.2.1

loaderutilsRange<2.0.4

loaderutilsRange<1.4.2

CPENameOperatorVersion
loader-utilslt3.2.1
loader-utilslt2.0.4
loader-utilslt1.4.2

Name	Operator	Version
loader-utils	lt	3.2.1
loader-utils	lt	2.0.4
loader-utils	lt	1.4.2

References

github.com/advisories/GHSA-3rfm-jhwj-7488

github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107

github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38

github.com/webpack/loader-utils/commit/17cbf8fa8989c1cb45bdd2997aa524729475f1fa

github.com/webpack/loader-utils/commit/ac09944dfacd7c4497ef692894b09e63e09a5eeb

github.com/webpack/loader-utils/commit/d2d752d59629daee38f34b24307221349c490eb1

github.com/webpack/loader-utils/issues/213

github.com/webpack/loader-utils/issues/216

lists.fedoraproject.org/archives/list/[email protected]/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/

lists.fedoraproject.org/archives/list/[email protected]/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/

lists.fedoraproject.org/archives/list/[email protected]/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/

nvd.nist.gov/vuln/detail/CVE-2022-37603

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.007 Low

EPSS

Percentile

80.3%

JSON

Related for GHSA-3RFM-JHWJ-7488