Lucene search

GoogleOSV:GHSA-3RFM-JHWJ-7488

HistoryOct 14, 2022 - 7:00 p.m.

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable

2022-10-1419:00:38

Google

osv.dev

vulnerable

regular expression denial of service

redos

interpolatename.js

webpack

loader-utils

2.0.0

url variable

patch

version 1.4.2

version 2.0.4

version 3.2.1

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.007 Low

EPSS

Percentile

80.3%

JSON

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.

CPENameOperatorVersion
loader-utilsge1.0.0
loader-utilsge3.0.0
loader-utilslt1.4.2
loader-utilslt2.0.4
loader-utilslt3.2.1
loader-utilsge2.0.0

Name	Operator	Version
loader-utils	ge	1.0.0
loader-utils	ge	3.0.0
loader-utils	lt	1.4.2
loader-utils	lt	2.0.4
loader-utils	lt	3.2.1
loader-utils	ge	2.0.0

References

github.com/webpack/loader-utils

github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107

github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38

github.com/webpack/loader-utils/commit/17cbf8fa8989c1cb45bdd2997aa524729475f1fa

github.com/webpack/loader-utils/commit/ac09944dfacd7c4497ef692894b09e63e09a5eeb

github.com/webpack/loader-utils/commit/d2d752d59629daee38f34b24307221349c490eb1

github.com/webpack/loader-utils/issues/213

github.com/webpack/loader-utils/issues/216

lists.fedoraproject.org/archives/list/[email protected]/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM

lists.fedoraproject.org/archives/list/[email protected]/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375

lists.fedoraproject.org/archives/list/[email protected]/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU

nvd.nist.gov/vuln/detail/CVE-2022-37603

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.007 Low

EPSS

Percentile

80.3%

JSON

Related for OSV:GHSA-3RFM-JHWJ-7488