Plattform
nodejs
Komponente
loader-utils
Behoben in
2.5.4
CVE-2022-37603 describes a Regular expression denial of service (ReDoS) vulnerability affecting the loader-utils package. A maliciously crafted string could trigger excessive processing time, leading to a denial of service. This flaw affects version 2.0.0. Patches are available in versions 1.4.2, 2.0.4 and 3.2.1.
The primary impact of CVE-2022-37603 is a Denial of Service (DoS). An attacker can craft malicious requests containing specially formatted strings that trigger a ReDoS condition within the interpolateName function. This condition causes the regular expression engine to consume excessive CPU resources, potentially leading to a system crash or making the application unresponsive. The blast radius extends to any application or service utilizing the vulnerable loader-utils version, particularly those involved in webpack build processes. Successful exploitation could disrupt development workflows, deployment pipelines, and potentially impact production environments if the vulnerable library is used in a production build. While direct data exfiltration isn't a primary concern, the DoS can indirectly impact data availability and integrity.
CVE-2022-37603 was published on October 14, 2022. Its severity is rated as HIGH with a CVSS score of 7.5. There is no indication of this vulnerability being actively exploited in the wild, nor is it currently listed on KEV or EPSS. Public proof-of-concept (POC) code is not widely available, but the ReDoS nature of the vulnerability makes it relatively straightforward to exploit given sufficient knowledge of regular expression behavior.
Exploit-Status
EPSS
1.26% (79% Perzentil)
CVSS-Vektor
The recommended mitigation for CVE-2022-37603 is to immediately upgrade loader-utils to version 1.4.2, 2.0.4, or 3.2.1. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by sanitizing or validating the url input before passing it to the interpolateName function. This could involve limiting the length of the URL or using a more restrictive regular expression. Web Application Firewalls (WAFs) or reverse proxies can be configured to filter out requests containing suspicious URL patterns known to trigger the ReDoS condition. After upgrading, confirm the fix by sending a test request containing a known malicious URL pattern and verifying that it no longer causes excessive CPU usage or a crash.
Actualice el paquete loader-utils a la versión 2.5.4 o superior para mitigar la vulnerabilidad de denegación de servicio por expresión regular (ReDoS). Esto se puede hacer utilizando un gestor de paquetes como npm o yarn.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
A ReDoS (Regular Expression Denial of Service) attack exploits the way regular expressions process certain inputs, consuming excessive resources and causing a denial of service.
If you are using a version of loader-utils prior to 1.4.2, 2.0.4, or 3.2.1, you are likely affected. Review the dependencies of your webpack project.
As a temporary measure, you can validate and sanitize the input of the url variable before using it in interpolateName, but this is not a complete solution.
There are static analysis tools that can help identify potential ReDoS vulnerabilities in regular expressions, but their effectiveness may vary.
You can consult the vulnerability report on security databases such as CVE (Common Vulnerabilities and Exposures) and the webpack and loader-utils documentation.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.