CVE-2022-37603
Denial of Service vulnerability in loader-utils (npm)
What is CVE-2022-37603 About?
This vulnerability is a Regular expression Denial of Service (ReDoS) flaw in webpack `loader-utils 2.0.0`. A maliciously crafted `url` variable can cause excessive processing time, leading to a denial of service. It is moderately easy to exploit by providing specific regex input.
Affected Software
- loader-utils
- >3.0.0, <3.2.1
- >1.0.0, <1.4.2
- >2.0.0, <2.0.4
Technical Details
The ReDoS vulnerability is found within the interpolateName function in interpolateName.js of webpack's loader-utils version 2.0.0. The flaw arises from an inefficiently constructed regular expression used with the url variable. An attacker can supply a specially crafted string as input to the url variable. This input, when processed by the vulnerable regular expression, can trigger catastrophic backtracking, causing the regex engine to take an exponentially long time to evaluate, consuming excessive CPU resources and leading to a denial of service condition for the application.
What is the Impact of CVE-2022-37603?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected system unresponsive or crashing it due to excessive resource consumption.
What is the Exploitability of CVE-2022-37603?
Exploitation requires the ability to provide a maliciously formed string that is passed as the url variable to the interpolateName function in webpack loader-utils. The complexity is moderate, as it involves crafting a specific regular expression payload that triggers the ReDoS. No specific authentication or privilege requirements are typically needed if the input path is accessible. This can be a remote attack if user input directly influences the url variable in a web-exposed component. The main constraint is control over the input that eventually reaches the vulnerable regular expression. Risk factors include applications that accept untrusted input and use the affected loader-utils version without proper input validation or sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-37603?
About the Fix from Resolved Security
This patch changes the regular expression in interpolateName.js to prevent colons inside the hashType group, which blocks an attacker from injecting a colon and manipulating hash generation input. This mitigates CVE-2022-37603, which allowed crafted inputs to alter generated file names and potentially perform path traversal or remote code execution.
Available Upgrade Options
- loader-utils
- >1.0.0, <1.4.2 → Upgrade to 1.4.2
- loader-utils
- >2.0.0, <2.0.4 → Upgrade to 2.0.4
- loader-utils
- >3.0.0, <3.2.1 → Upgrade to 3.2.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38
- https://osv.dev/vulnerability/GHSA-3rfm-jhwj-7488
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375
- https://github.com/webpack/loader-utils
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38
- https://github.com/webpack/loader-utils/issues/216
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU
- https://github.com/webpack/loader-utils/issues/213
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107
What are Similar Vulnerabilities to CVE-2022-37603?
Similar Vulnerabilities: CVE-2023-26116 , CVE-2022-26279 , CVE-2020-28283 , CVE-2020-7798 , CVE-2021-23363
