CVE-2022-37599
First published: Tue Oct 11 2022(Updated: )
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/loader-utils | >=3.0.0<3.2.1 | 3.2.1 |
| npm/loader-utils | >=2.0.0<2.0.4 | 2.0.4 |
| npm/loader-utils | >=1.0.0<1.4.2 | 1.4.2 |
| redhat/loader-utils | <1.4.2 | 1.4.2 |
| redhat/loader-utils | <2.0.4 | 2.0.4 |
| redhat/loader-utils | <3.2.1 | 3.2.1 |
| Webpack | >=1.0.0<1.4.2 | |
| Webpack | >=2.0.0<2.0.4 | |
| Webpack | >=3.0.0<3.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-37599
- https://github.com/webpack/loader-utils/issues/211
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L83
- https://github.com/webpack/loader-utils/issues/216
- https://github.com/webpack/loader-utils/commit/17cbf8fa8989c1cb45bdd2997aa524729475f1fa
- https://github.com/webpack/loader-utils/commit/ac09944dfacd7c4497ef692894b09e63e09a5eeb
- https://github.com/webpack/loader-utils/commit/d2d752d59629daee38f34b24307221349c490eb1
- https://github.com/advisories/GHSA-hhq3-ff78-jv3g (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2209313
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2209311
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2209314
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2209315
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2209312
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2209316
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2209317
- https://access.redhat.com/errata/RHSA-2023:4983
- https://bugzilla.redhat.com/show_bug.cgi?id=2134872
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ
Frequently Asked Questions
What is CVE-2022-37599?
CVE-2022-37599 is a regular expression denial of service (ReDoS) flaw in the Function interpolateName in webpack loader-utils.
How does CVE-2022-37599 affect the system?
CVE-2022-37599 can cause a system to crash or become unresponsive when a badly or maliciously formed string is used.
What is the severity rating of CVE-2022-37599?
The severity rating of CVE-2022-37599 is high, with a CVSS score of 7.5.
Which versions of loader-utils are affected by CVE-2022-37599?
Versions 1.0.0 to 1.4.2, 2.0.0 to 2.0.4, and 3.0.0 to 3.2.1 of loader-utils are affected by CVE-2022-37599.
How can I fix CVE-2022-37599?
To fix CVE-2022-37599, update loader-utils to version 3.2.1, 2.0.4, or 1.4.2 depending on the version you are using.
- agent/type
- agent/severity
- agent/remedy
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hhq3-ff78-jv3g
- alias/CVE-2022-37599
- agent/software-canonical-lookup
- agent/references
- collector/github-advisory
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- package-manager/npm
- package-manager/redhat
- vendor/webpack.js
- canonical/webpack
- version/webpack/1.0.0
- version/webpack/2.0.0
- version/webpack/3.0.0