CVE-2022-37601 — Prototype Pollution in Loader-utils

CWE-1321 — Prototype Pollution7 documents6 sources

Severity

9.8CRITICALNVD

EPSS

20.1%

top 4.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Webpack.js Loader-utils Debian Node-loader-utils Debian Linux +3 more

Timeline

PublishedOct 12

Latest updateOct 14

Description

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

▶NVDwebpack.js/loader-utils2.0.0 — 2.0.3+1

▶npmwebpack.js/loader-utils2.0.0 — 2.0.3+1

▶debiandebian/node-loader-utils< node-loader-utils 2.0.3-1 (bookworm)

▶msrcmsrc/cbl_mariner_2.0_arm

▶msrcmsrc/cbl_mariner_2.0_x64

Also affects: Debian Linux 10.0

🔴Vulnerability Details

GHSA

Prototype pollution in webpack loader-utils↗2022-10-13

▶

OSV

Prototype pollution in webpack loader-utils↗2022-10-13

▶

OSV

CVE-2022-37601: Prototype pollution vulnerability in function parseQuery in parseQuery↗2022-10-12

▶

📋Vendor Advisories

Red Hat

loader-utils: prototype pollution in function parseQuery in parseQuery.js↗2022-10-14

▶

Microsoft

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.↗2022-10-11

▶

Debian

CVE-2022-37601: node-loader-utils - Prototype pollution vulnerability in function parseQuery in parseQuery.js in web...↗2022

▶