CVE-2022-37601
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
| Software | From | Fixed in |
|---|---|---|
| webpack.js / loader-utils | - | 1.4.1 |
| webpack.js / loader-utils | 2.0.0 | 2.0.3 |
| debian / debian_linux | 10.0 | 10.0.x |
webpack / loader-utils
|
2.0.0 | 2.0.3 |
|
webpack / loader-utils
|
- | 1.4.1 |
- http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
- https://dl.acm.org/doi/abs/10.1145/3488932.3497769
- https://dl.acm.org/doi/pdf/10.1145/3488932.3497769
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47
- https://github.com/webpack/loader-utils/issues/212
- https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884
- https://github.com/webpack/loader-utils/pull/217
- https://github.com/webpack/loader-utils/pull/217/commits/f4e48a232fae900237c3e5ff7b57ce9e1c734de1
- https://github.com/webpack/loader-utils/pull/220
- https://github.com/webpack/loader-utils/pull/220/commits/a49c061ef272bc0c61cc1d996f83bb0e3b4daa9e
- https://github.com/webpack/loader-utils/releases/tag/v1.4.1
- https://github.com/webpack/loader-utils/releases/tag/v2.0.3
- https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
- https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime