Vulnerability Details CVE-2022-37601
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.157
EPSS Ranking 94.4%
CVSS Severity
CVSS v3 Score 9.8
References
- http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
- https://dl.acm.org/doi/abs/10.1145/3488932.3497769
- https://dl.acm.org/doi/pdf/10.1145/3488932.3497769
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47
- https://github.com/webpack/loader-utils/issues/212
- https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884
- https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
- https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html
- http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
- https://dl.acm.org/doi/abs/10.1145/3488932.3497769
- https://dl.acm.org/doi/pdf/10.1145/3488932.3497769
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47
- https://github.com/webpack/loader-utils/issues/212
- https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884
- https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
- https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html
Products affected by CVE-2022-37601
-
cpe:2.3:a:webpack.js:loader-utils:0.2.10
-
cpe:2.3:a:webpack.js:loader-utils:0.2.11
-
cpe:2.3:a:webpack.js:loader-utils:0.2.12
-
cpe:2.3:a:webpack.js:loader-utils:0.2.13
-
cpe:2.3:a:webpack.js:loader-utils:0.2.14
-
cpe:2.3:a:webpack.js:loader-utils:0.2.15
-
cpe:2.3:a:webpack.js:loader-utils:0.2.16
-
cpe:2.3:a:webpack.js:loader-utils:0.2.17
-
cpe:2.3:a:webpack.js:loader-utils:0.2.7
-
cpe:2.3:a:webpack.js:loader-utils:0.2.8
-
cpe:2.3:a:webpack.js:loader-utils:0.2.9
-
cpe:2.3:a:webpack.js:loader-utils:1.0.0
-
cpe:2.3:a:webpack.js:loader-utils:1.0.1
-
cpe:2.3:a:webpack.js:loader-utils:1.0.2
-
cpe:2.3:a:webpack.js:loader-utils:1.0.3
-
cpe:2.3:a:webpack.js:loader-utils:1.0.4
-
cpe:2.3:a:webpack.js:loader-utils:1.1.0
-
cpe:2.3:a:webpack.js:loader-utils:1.2.0
-
cpe:2.3:a:webpack.js:loader-utils:1.2.1
-
cpe:2.3:a:webpack.js:loader-utils:1.2.2
-
cpe:2.3:a:webpack.js:loader-utils:1.2.3
-
cpe:2.3:a:webpack.js:loader-utils:1.3.0
-
cpe:2.3:a:webpack.js:loader-utils:1.4.0
-
cpe:2.3:a:webpack.js:loader-utils:2.0.0
-
cpe:2.3:a:webpack.js:loader-utils:2.0.1
-
cpe:2.3:a:webpack.js:loader-utils:2.0.2
-
cpe:2.3:o:debian:debian_linux:10.0