CVE: 2022-37603 found in loader-utils - Version: 1.4.2,2.0.4 [JS]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	loader-utils
Description	utils for webpack loaders
Language	JS
Vulnerability	Regular Expression Denial Of Service (ReDoS)
Vulnerability description	loader-utils is vulnerable to regular expression denial of service. The vulnerability is due to insecure regular expression in the url variable of the interpolateName function in interpolateName.js. A remote attacker can cause denial of service via malicious regex.
CVE	2022-37603
CVSS score	5
Vulnerability present in version/s	1.0.0-2.0.4
Found library version/s	1.4.2,2.0.4
Vulnerability fixed in version	3.0.0
Library latest version	3.2.1
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/6159?version=1.4.2
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/37574
• Patch: https://github.com/webpack/loader-utils/commit/862ea7d1d0226558f2750bec36da02492d1e516d

[mattcollier]

Although the Veracode issue indicates that the vulnerability is fixed in v3.x, in fact the fix was backported to v1 and v2 as well.

https://github.com/webpack/loader-utils/issues/213#issuecomment-1314604293

v1 patch: https://github.com/webpack/loader-utils/pull/226 v2 patch: https://github.com/webpack/loader-utils/pull/225

Therefore this issue is a NOOP.