loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable #15

New Issue

Closed

opened 2022-11-16 04:43:28 +00:00 by argoyle · 0 comments

argoyle commented 2022-11-16 04:43:28 +00:00 (Migrated from gitlab.com)

Copy Link

Copy Source

⚠️ dependabot-gitlab has detected security vulnerability for loader-utils in path: /, manifest_file: /package.json but was unable to update it! ⚠️

• https://github.com/advisories/GHSA-3rfm-jhwj-7488

Package	Severity	Affected versions	Patched versions	IDs
loader-utils (NPM)	HIGH	>= 1.0.0, < 1.4.2	1.4.2	GHSA-3rfm-jhwj-7488,CVE-2022-37603

Description

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-37603
• https://github.com/webpack/loader-utils/issues/213
• https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107
• https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38
• https://github.com/webpack/loader-utils/issues/216
• https://github.com/advisories/GHSA-3rfm-jhwj-7488

⚠️ `dependabot-gitlab` has detected security vulnerability for `loader-utils` in path: `/`, manifest_file: `/package.json` but was unable to update it! ⚠️ * https://github.com/advisories/GHSA-3rfm-jhwj-7488 | Package | Severity | Affected versions | Patched versions | IDs | |--------------------|----------|-------------------|------------------|----------------------------------------| | loader-utils (NPM) | HIGH | >= 1.0.0, < 1.4.2 | 1.4.2 | `GHSA-3rfm-jhwj-7488`,`CVE-2022-37603` | # Description A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1. # References * https://nvd.nist.gov/vuln/detail/CVE-2022-37603 * https://github.com/webpack/loader-utils/issues/213 * https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107 * https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38 * https://github.com/webpack/loader-utils/issues/216 * https://github.com/advisories/GHSA-3rfm-jhwj-7488

argoyle (Migrated from gitlab.com) closed this issue 2022-12-05 13:03:24 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

renovate/vue-router-5.x

renovate-group-stylelint

fix/remove-digest-pinning

remove-gitlab-ci

remove-aws-iam-auth

remove-kubeconfig

kubeconfig-secret

ci-migration

No results found.

Labels

Clear labels

dependencies

Pull requests that update a dependency file

docker

javascript

security

Pull requests that address a security vulnerability

severity:critical

severity:high

severity:low

severity:moderate

No Label security severity:high

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#15