CVE-2022-37601

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

Published: Oct 12, 2022
Updated: May 15, 2024
CVE: CVE-2022-37601
GHSA: GHSA-76p3-8jx3-jpfq
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-1321

Affected Software
References

Software	From	Fixed in
webpack.js / loader-utils	-	1.4.1
webpack.js / loader-utils	2.0.0	2.0.3
debian / debian_linux	10.0	10.0.x
webpack / loader-utils	2.0.0	2.0.3
webpack / loader-utils	-	1.4.1

http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
https://dl.acm.org/doi/abs/10.1145/3488932.3497769
https://dl.acm.org/doi/pdf/10.1145/3488932.3497769
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47
https://github.com/webpack/loader-utils/issues/212
https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884
https://github.com/webpack/loader-utils/pull/217
https://github.com/webpack/loader-utils/pull/217/commits/f4e48a232fae900237c3e5ff7b57ce9e1c734de1
https://github.com/webpack/loader-utils/pull/220
https://github.com/webpack/loader-utils/pull/220/commits/a49c061ef272bc0c61cc1d996f83bb0e3b4daa9e
https://github.com/webpack/loader-utils/releases/tag/v1.4.1
https://github.com/webpack/loader-utils/releases/tag/v2.0.3
https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html

Vulnerability Database

CVE-2022-37601