CVE-2022-37601

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2022-37601

CGA ID

CGA-fggr-qmgm-5v3m

Severity

Unknown

Description

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

References

https://images.chainguard.dev/security/CGA-fggr-qmgm-5v3m
https://github.com/advisories/GHSA-76p3-8jx3-jpfq
https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884
https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
https://github.com/webpack/loader-utils/issues/212
http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
https://dl.acm.org/doi/abs/10.1145/3488932.3497769
https://dl.acm.org/doi/pdf/10.1145/3488932.3497769
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47
https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html
https://security-tracker.debian.org/tracker/CVE-2022-37601

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CVE-2022-37601

Severity

Description

References

Affected packages

Products

Why Chainguard

Customers

Company

Resources