Plattform
nodejs
Komponente
loader-utils
Behoben in
2.5.4
CVE-2022-37599 describes a regular expression denial of service (ReDoS) vulnerability affecting the loader-utils package. Specifically, a maliciously crafted string sent via the resourcePath variable can cause excessive processing time, potentially leading to a system crash. This issue affects versions prior to 1.4.2 and has been addressed in version 1.4.2.
An attacker exploiting CVE-2022-37599 can send crafted requests containing specially formatted strings that trigger a ReDoS condition. This can lead to a denial-of-service, rendering the system unresponsive or causing it to crash. The vulnerability's impact extends to any application utilizing webpack and the vulnerable version of loader-utils. While the attack requires crafting a specific input string, the potential for system-wide disruption makes this a significant concern. The blast radius includes any application relying on the vulnerable loader-utils library.
CVE-2022-37599 is not currently listed on KEV or EPSS. The probability of exploitation is considered medium due to the availability of ReDoS attack tools and the widespread use of webpack. Public proof-of-concept exploits are available. Refer to the NVD and CISA advisories for updates.
Exploit-Status
EPSS
4.00% (88% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-37599 is to upgrade webpack loader-utils to version 1.4.2 or later, 2.0.4 or later, or 3.2.1 or later. Review dependencies to ensure all related packages are also updated. Consider implementing input validation and sanitization to prevent malicious strings from reaching the vulnerable regular expression. While a WAF may not directly address ReDoS vulnerabilities, it can be configured to detect and block requests containing suspicious patterns. No specific Sigma or YARA rules are currently available, but monitoring for excessive CPU usage during webpack processing is recommended. After upgrading, confirm the fix by testing with known malicious input strings.
Actualice el paquete loader-utils a la versión 2.5.4 o superior para mitigar la vulnerabilidad de denegación de servicio por expresión regular (ReDoS). Esto corregirá la expresión regular vulnerable en la función interpolateName, previniendo ataques que podrían causar un consumo excesivo de recursos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-37599 is a Regular Expression Denial of Service (ReDoS) vulnerability in webpack's loader-utils library that can cause system crashes or performance degradation.
You are affected if you are using a version of loader-utils prior to 1.4.2, 2.0.4, or 3.2.1.
Upgrade your loader-utils dependency to version 1.4.2 or later to resolve this vulnerability.
Currently, there are no publicly available exploitation reports or Proof-of-Concept code for this vulnerability.
Refer to the National Vulnerability Database (NVD) entry for more details: https://nvd.nist.gov/vuln/detail/CVE-2022-37599
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.