Platform
nodejs
Component
loader-utils
Fixed in
2.5.4
CVE-2022-37603 describes a Regular expression denial of service (ReDoS) vulnerability affecting the loader-utils package. A maliciously crafted string could trigger excessive processing time, leading to a denial of service. This flaw affects version 2.0.0. Patches are available in versions 1.4.2, 2.0.4 and 3.2.1.
CVE-2022-37603 affects the loader-utils library used by webpack, specifically the interpolateName function in interpolateName.js. This vulnerability is a Regular Expression Denial of Service (ReDoS). An attacker can send carefully crafted requests containing malicious strings via the url variable. These strings, when processed by the regular expression, can consume a disproportionate amount of system resources, leading to a crash or significant slowdown. The risk is particularly high in environments where webpack is used to build complex web applications, as a successful attack could disrupt the build process and impact service availability. The CVSS severity score is 7.5, indicating a high risk.
The vulnerability is exploited by injecting malicious strings into the url variable used by the interpolateName function. These strings are designed to trigger excessive behavior of the regular expression, leading to a ReDoS. The attacker needs to have the ability to control or influence the value of the url variable. This could occur, for example, through query parameters in a URL, data submitted by a form, or even through manipulation of configuration files. The complexity of the attack depends on the attacker's ability to craft a string that maximizes the regular expression processing time.
Exploit Status
EPSS
1.26% (79% percentile)
CVSS Vector
The most effective solution is to update the loader-utils library to a patched version. Versions 1.4.2, 2.0.4, and 3.2.1 include the fix for this vulnerability. We strongly recommend updating to the latest available version. If an update is not immediately possible, temporary mitigation measures can be implemented, such as validating and sanitizing the input of the url variable before passing it to the interpolateName function. However, these measures are less secure than a full update and should be considered only as a temporary workaround. Monitoring system performance and error logs can help detect potential ReDoS attacks.
Actualice el paquete loader-utils a la versión 2.5.4 o superior para mitigar la vulnerabilidad de denegación de servicio por expresión regular (ReDoS). Esto se puede hacer utilizando un gestor de paquetes como npm o yarn.
Vulnerability analysis and critical alerts directly to your inbox.
A ReDoS (Regular Expression Denial of Service) attack exploits the way regular expressions process certain inputs, consuming excessive resources and causing a denial of service.
If you are using a version of loader-utils prior to 1.4.2, 2.0.4, or 3.2.1, you are likely affected. Review the dependencies of your webpack project.
As a temporary measure, you can validate and sanitize the input of the url variable before using it in interpolateName, but this is not a complete solution.
There are static analysis tools that can help identify potential ReDoS vulnerabilities in regular expressions, but their effectiveness may vary.
You can consult the vulnerability report on security databases such as CVE (Common Vulnerabilities and Exposures) and the webpack and loader-utils documentation.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.