// For flags

CVE-2022-37603

loader-utils (JS package) < 3.2.1 - Regular Expression Denial of Service

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Se ha encontrado un fallo de denegación de servicio de expresión Regular (ReDoS) en la función interpolateName en el archivo interpolateName.js en webpack loader-utils 2.0.0 por medio de la variable url en interpolateName.js

A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.

The package loader-utils before 1.4.2, from 2.0.0 and before 2.0.4 as well as versions from 3.0.0 but below 3.2.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the resourcePath variable due to insecure usage of regular expressions. Some WordPress plugins and themes use this dependency, however, are not vulnerable to exploitation.

Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, open redirection, server-side request forgery, and traversal vulnerabilities.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-08-08 CVE Reserved
  • 2022-10-11 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-08-03 First Exploit
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-185: Incorrect Regular Expression
  • CWE-400: Uncontrolled Resource Consumption
  • CWE-1333: Inefficient Regular Expression Complexity
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Webpack.js
Search vendor "Webpack.js"
 Loader-utils
Search vendor "Webpack.js" for product "Loader-utils"
 < 1.4.2
Search vendor "Webpack.js" for product "Loader-utils" and version " < 1.4.2"
-
Affected
Webpack.js
Search vendor "Webpack.js"
 Loader-utils
Search vendor "Webpack.js" for product "Loader-utils"
 >= 2.0.0 < 2.0.4
Search vendor "Webpack.js" for product "Loader-utils" and version " >= 2.0.0 < 2.0.4"
-
Affected
Webpack.js
Search vendor "Webpack.js"
 Loader-utils
Search vendor "Webpack.js" for product "Loader-utils"
 >= 3.0.0 < 3.2.1
Search vendor "Webpack.js" for product "Loader-utils" and version " >= 3.0.0 < 3.2.1"
-
Affected