CVE Vulnerability

CVE-2022-37601

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 Exploit Third Party Advisory
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 Exploit Third Party Advisory
https://github.com/webpack/loader-utils/issues/212 Issue Tracking Third Party Advisory
https://dl.acm.org/doi/pdf/10.1145/3488932.3497769
https://dl.acm.org/doi/abs/10.1145/3488932.3497769
https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884
http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html
Configurations

Configuration 1

cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:*
cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:*
Information

Published : 2022-10-12 08:15

Updated : 2022-12-31 07:15

NVD link : CVE-2022-37601

Mitre link : CVE-2022-37601

Products Affected
No products.
CWE
CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')