CVE-2022-37601
CRITICALwebpack.js loader-utils <1.4.1 and >=2.0.0 <2.0.3 - Prototype Pollution via parseQuery Function
Title source: llmDescription
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
References (9)
Core 9
Core References
Technical Description
http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
Technical Description
https://dl.acm.org/doi/abs/10.1145/3488932.3497769
Technical Description
https://dl.acm.org/doi/pdf/10.1145/3488932.3497769
Issue Tracking, Third Party Advisory
https://github.com/webpack/loader-utils/issues/212
Exploit, Issue Tracking, Third Party Advisory
https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884
Exploit, Issue Tracking, Third Party Advisory
https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html
Scores
CVSS v3
9.8
EPSS
0.0260
EPSS Percentile
83.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-1321
Status
published
Products (3)
debian/debian_linux
10.0
npm/loader-utils
2.0.0 - 2.0.3npm
webpack.js/loader-utils
< 1.4.1
Published
Oct 12, 2022
Tracked Since
Feb 18, 2026