CVE-2022-37601
loader-utils (JS package) < 2.0.3 - Prototype Pollution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Una vulnerabilidad de contaminaciĆ³n de prototipos en la funciĆ³n parseQuery en el archivo parseQuery.js en webpack loader-utils 2.0.0 por medio de la variable name en parseQuery.js
A prototype pollution vulnerability was found in the parseQuery function in parseQuery.js in the webpack loader-utils via the name variable in parseQuery.js. This flaw can lead to a denial of service or remote code execution.
The package loader-utils before 1.4.1, from 2.0.0 and before 2.0.3 is vulnerable to prototype pollution via the function parseQuery which could make injecting malicious web scripts possible in some cases.
Juraj Somorovsky, Marcel Maehren, Nurullah Erinola, and Robert Merget discovered that the DTLS implementation in the JSSE subsystem of OpenJDK did not properly restrict handshake initiation requests from clients. A remote attacker could possibly use this to cause a denial of service. Markus Loewe discovered that the Java Sound subsystem in OpenJDK did not properly validate the origin of a Soundbank. An attacker could use this to specially craft an untrusted Java application or applet that could load a Soundbank from an attacker controlled remote URL.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2022-08-08 CVE Reserved
- 2022-10-12 CVE Published
- 2024-10-28 CVE Updated
- 2024-10-28 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
- CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf | Technical Description | |
| https://dl.acm.org/doi/abs/10.1145/3488932.3497769 | Technical Description | |
| https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 | Technical Description | |
| https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 | Product | |
| https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 | Product | |
| https://github.com/webpack/loader-utils/issues/212 | Issue Tracking | |
| https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884 | 2024-10-28 | |
| https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826 | 2024-10-28 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2022-37601 | 2023-02-28 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2134876 | 2023-02-28 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Webpack.js Search vendor "Webpack.js" | Loader-utils Search vendor "Webpack.js" for product "Loader-utils" | < 1.4.1 Search vendor "Webpack.js" for product "Loader-utils" and version " < 1.4.1" | - |
Affected
| ||||||
| Webpack.js Search vendor "Webpack.js" | Loader-utils Search vendor "Webpack.js" for product "Loader-utils" | >= 2.0.0 < 2.0.3 Search vendor "Webpack.js" for product "Loader-utils" and version " >= 2.0.0 < 2.0.3" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||