Fluid Attacks Database

Description

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) A regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils via the resourcePath variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	node-loader-utils	>=0 <2.0.4-1	2.0.4-1
debian 13	node-loader-utils	>=0 <2.0.4-1	2.0.4-1
debian 11	node-loader-utils	=2.0.0-1 \|\| >=0 <2.0.0-1+deb11u1	2.0.0-1+deb11u1
debian 14	node-loader-utils	>=0 <2.0.4-1	2.0.4-1
npm	loader-utils	>=1.0.0 <1.4.2 \|\| >=2.0.0 <2.0.4 \|\| >=3.0.0 <3.2.1	1.4.2, 2.0.4, 3.2.1
rpm rhel7	firefox	-	-
rpm rhel8	grafana	-	-
rpm rhel8	pcs	-	-
rpm rhel8	389-ds-base	-	-
rpm rhel6	firefox	-	-

1-10 of 12

Aliases

1. CVE-2022-375992. NVD-2022-375993. OSV-DEBIAN-2022-375994. OSV-2022-375995. GCVE-2022-375996. SECURITY-TRACKER-CVE-2022-37599

References

1. https://github.com/webpack/loader-utils/issues/2112. https://github.com/webpack/loader-utils/issues/2163. https://github.com/webpack/loader-utils/commit/17cbf8fa8989c1cb45bdd2997aa524729475f1fa4. https://github.com/webpack/loader-utils/commit/ac09944dfacd7c4497ef692894b09e63e09a5eeb5. https://github.com/webpack/loader-utils/commit/d2d752d59629daee38f34b24307221349c490eb16. https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L387. https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L838. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT29. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ10. https://lists.fedoraproject.org/archives/list/[email protected]/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.