CVE-2022-37599
Denial of Service vulnerability in loader-utils (npm)

Denial of Service No known exploit Fixable By Resolved Security

What is CVE-2022-37599 About?

This is a Regular Expression Denial of Service (ReDoS) flaw found in webpack's loader-utils, specifically in the `interpolateName` function. A maliciously crafted string can cause the regex engine to backtrack excessively, consuming disproportionate processing time. This makes exploitation moderately easy for an attacker who can influence the `resourcePath` variable.

Affected Software

  • loader-utils
    • >3.0.0, <3.2.1
    • >1.0.0, <1.4.2
    • >2.0.0, <2.0.4

Technical Details

The ReDoS vulnerability in webpack loader-utils's interpolateName function stems from a vulnerable regular expression used to process the resourcePath variable. An attacker can provide a specially crafted input string (e.g., via the resourcePath) that triggers catastrophic backtracking within the regular expression engine. This occurs when a complex regex pattern, often containing overlapping quantifiers or alternation, attempts to match a string that causes the engine to explore a vast number of permutations. This excessive backtracking consumes significant CPU resources, leading to a substantial delay in processing or a complete hang, effectively causing a Denial of Service for the system handling the requests.

What is the Impact of CVE-2022-37599?

Successful exploitation may allow attackers to cause the system to become unresponsive or crash due to excessive resource consumption, leading to a denial of service.

What is the Exploitability of CVE-2022-37599?

Exploitation of this ReDoS vulnerability involves crafting a specific string that will be processed by the vulnerable regular expression. The complexity is moderate, as it requires knowledge of regular expression weaknesses and how the resourcePath variable can be manipulated. No specific authentication or high privileges are required, provided an attacker can influence the resourcePath variable. The attack can be remote if the application processes user-supplied input that flows into this variable. The likelihood of exploitation increases if untrusted inputs are directly fed into filename or path-related processing functions without proper sanitization, especially in environments where compilation or asset loading occurs based on user-controlled names.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2022-37599?

A Fix by Resolved Security Exists!
Learn how we backport CVE fixes to your open-source libraries effortlessly.

About the Fix from Resolved Security

The patch modifies the regular expression to disallow the inclusion of colon (:) characters within the hashType group when interpolating names, preventing malicious input from injecting or manipulating path components. This mitigates CVE-2022-37599, which allowed crafted filename templates to expose arbitrary filesystem locations or sensitive information through path traversal or improper object access.

Available Upgrade Options

  • loader-utils
    • >1.0.0, <1.4.2 → Upgrade to 1.4.2
  • loader-utils
    • >2.0.0, <2.0.4 → Upgrade to 2.0.4
  • loader-utils
    • >3.0.0, <3.2.1 → Upgrade to 3.2.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-37599?

Similar Vulnerabilities: CVE-2021-27293 , CVE-2020-28498 , CVE-2019-20448 , CVE-2017-15201 , CVE-2017-16016

All Rights reserved 2025
Privacy Policy