Platform
nodejs
Component
loader-utils
Fixed in
2.5.4
CVE-2022-37599 describes a regular expression denial of service (ReDoS) vulnerability affecting the loader-utils package. Specifically, a maliciously crafted string sent via the resourcePath variable can cause excessive processing time, potentially leading to a system crash. This issue affects versions prior to 1.4.2 and has been addressed in version 1.4.2.
CVE-2022-37599 represents a Regular Expression Denial of Service (ReDoS) vulnerability within webpack's loader-utils library, specifically affecting the interpolateName function. An attacker could exploit this by crafting malicious input strings, particularly targeting the resourcePath variable used during name interpolation. This crafted input, when processed by the vulnerable interpolateName function, triggers an excessively complex regular expression match, leading to exponential backtracking. This results in the server or build process consuming a disproportionate amount of CPU time and memory, potentially causing a system crash or significant performance degradation. The blast radius extends to any application or build process relying on webpack and loader-utils where user-controlled input (or input derived from user-controlled sources) is passed to the interpolateName function without proper sanitization. While direct data exfiltration isn't the primary risk, a successful ReDoS attack can disrupt build pipelines, halt application deployments, and potentially lead to service unavailability, impacting users and development teams. The severity is rated HIGH (CVSS score 7.5) due to the potential for system instability and denial of service.
As of the current assessment, there are no publicly available exploitation reports or Proof-of-Concept (PoC) code for CVE-2022-37599. This doesn't diminish the risk, as ReDoS vulnerabilities are often difficult to exploit reliably in automated fashion, but require careful crafting of input. The lack of public exploits currently reduces the immediate urgency, but it's crucial to apply the patch proactively. The vulnerability's nature – a ReDoS – means that exploitation is more about resource exhaustion than direct code execution. While no active exploitation is known, the potential for disruption and the relative ease of crafting malicious input makes proactive patching a best practice. Continuous monitoring of security advisories and vulnerability databases is recommended to stay informed of any emerging exploitation attempts.
Exploit Status
EPSS
4.00% (88% percentile)
CVSS Vector
The primary mitigation for CVE-2022-37599 is to upgrade to a patched version of loader-utils. Versions 1.4.2, 2.0.4, and 3.2.1 contain the necessary fixes. Prioritize upgrading the loader-utils dependency in your webpack configuration. If upgrading is not immediately feasible, a temporary workaround involves sanitizing the resourcePath input before passing it to the interpolateName function. This could involve limiting the length of the string, restricting allowed characters, or employing a simpler, non-regular expression-based interpolation method. However, this workaround should be considered a temporary measure and upgrading remains the recommended solution. After applying the patch or workaround, thoroughly test your build process and application to ensure functionality and stability. Verify that the interpolateName function is no longer susceptible to excessive CPU usage when processing potentially malicious input. Automated testing with various input scenarios is highly recommended to confirm the effectiveness of the mitigation.
Actualice el paquete loader-utils a la versión 2.5.4 o superior para mitigar la vulnerabilidad de denegación de servicio por expresión regular (ReDoS). Esto corregirá la expresión regular vulnerable en la función interpolateName, previniendo ataques que podrían causar un consumo excesivo de recursos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-37599 is a Regular Expression Denial of Service (ReDoS) vulnerability in webpack's loader-utils library that can cause system crashes or performance degradation.
You are affected if you are using a version of loader-utils prior to 1.4.2, 2.0.4, or 3.2.1.
Upgrade your loader-utils dependency to version 1.4.2 or later to resolve this vulnerability.
Currently, there are no publicly available exploitation reports or Proof-of-Concept code for this vulnerability.
Refer to the National Vulnerability Database (NVD) entry for more details: https://nvd.nist.gov/vuln/detail/CVE-2022-37599
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.