CVE-2022-37601
Prototype pollution vulnerability in loader-utils (npm)
What is CVE-2022-37601 About?
This vulnerability is a prototype pollution issue within the `parseQuery` function of webpack's `loader-utils` library. It can lead to the modification of object prototypes, potentially altering application behavior or leading to further attacks. Exploitation is relatively easy due to insufficient input validation.
Affected Software
- loader-utils
- >2.0.0, <2.0.3
- <1.4.1
Technical Details
The vulnerability resides in the parseQuery function in parseQuery.js within the loader-utils package, specifically prior to version 2.0.3. It arises through the name variable. An attacker can craft a malicious query string that, when processed by parseQuery, allows them to inject properties into the Object.prototype. This enables an attacker to control or modify properties for all objects in the JavaScript application, leading to unexpected behavior potentially resulting in data manipulation, bypass of security checks, or denial of service.
What is the Impact of CVE-2022-37601?
Successful exploitation may allow attackers to modify object prototypes, leading to altered program logic, security bypasses, or denial of service. In some scenarios, this could escalate to remote code execution.
What is the Exploitability of CVE-2022-37601?
Exploitation characteristics suggest a medium complexity. Prerequisites involve providing malicious input through the 'name' variable to the vulnerable 'parseQuery' function. No specific authentication is required if the attacker can control input processed by loader-utils, making it a remote attack vector. Privilege requirements are low, as successful exploitation would manipulate the application's runtime environment. Special conditions include the application using a vulnerable version of loader-utils and processing untrusted input with parseQuery. The primary risk factor is external control over inputs that feed into the parseQuery function.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-37601?
About the Fix from Resolved Security
This patch changes the initialization of the result object from a plain object ({}) to Object.create(null), preventing the prototype chain from being included. This fixes CVE-2022-37601 by ensuring that malicious query parameters cannot overwrite or access properties on Object.prototype, mitigating prototype pollution attacks.
Available Upgrade Options
- loader-utils
- <1.4.1 → Upgrade to 1.4.1
- loader-utils
- >2.0.0, <2.0.3 → Upgrade to 2.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/webpack/loader-utils/commit/f4e48a232fae900237c3e5ff7b57ce9e1c734de1
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47
- https://github.com/webpack/loader-utils/issues/212
- https://osv.dev/vulnerability/GHSA-76p3-8jx3-jpfq
- http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
- https://dl.acm.org/doi/abs/10.1145/3488932.3497769
- https://github.com/webpack/loader-utils
- https://github.com/webpack/loader-utils/commit/a93cf6f4702012030f6b5ee8340d5c95ec1c7d4c
- https://github.com/webpack/loader-utils/issues/212
- http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
What are Similar Vulnerabilities to CVE-2022-37601?
Similar Vulnerabilities: CVE-2020-28282 , CVE-2020-7699 , CVE-2019-10744 , CVE-2020-11022 , CVE-2021-23424
