GSA_kwCzR0hTQS1oaHEzLWZmNzgtanYzZ84AAvRq

High EPSS: 0.04% (0.87946 Percentile) EPSS:

Permalink JSON

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)

Affected Packages	Affected Versions	Fixed Versions
npm:loader-utils PURL: `pkg:npm/loader-utils`	>= 1.0.0, < 1.4.2	1.4.2
8,210 Dependent packages 1,708,802 Dependent repositories 232,993,996 Downloads last month Affected Version Ranges All affected versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.4.0, 1.4.1 All unaffected versions 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.2.17, 1.4.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1

A regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils via the resourcePath variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.

References:

Identifiers

GHSA-hhq3-ff78-jv3g

CVE-2022-37599

Risk

Severity

High

EPSS

EPSS Percentage: 0.04

EPSS Percentile: 0.87946

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/webpack/loader-utils

Date and time

Published

about 3 years ago

Updated

about 1 hour ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories