CVE: 2022-37603 found in loader-utils - Version: 1.4.2,2.0.4 [JS] #126

github-actions · 2023-02-27T16:16:03Z

Veracode Software Composition Analysis

Attribute	Details
Library	loader-utils
Description	utils for webpack loaders
Language	JS
Vulnerability	Regular Expression Denial Of Service (ReDoS)
Vulnerability description	loader-utils is vulnerable to regular expression denial of service. The vulnerability is due to insecure regular expression in the `url` variable of the `interpolateName` function in `interpolateName.js`. A remote attacker can cause denial of service via malicious regex.
CVE	2022-37603
CVSS score	5
Vulnerability present in version/s	1.0.0-2.0.4
Found library version/s	1.4.2,2.0.4
Vulnerability fixed in version	3.0.0
Library latest version	3.2.1
Fix

Links:

The text was updated successfully, but these errors were encountered:

mattcollier · 2023-02-27T16:23:17Z

Although the Veracode issue indicates that the vulnerability is fixed in v3.x, in fact the fix was backported to v1 and v2 as well.

Therefore this issue is a NOOP.

github-actions bot added Severity: Medium Medium severity Veracode Dependency Scanning A Veracode identified vulnerability labels Feb 27, 2023

dlongley closed this as completed Mar 3, 2023