Detections
Analytics

CVE-2022-37601

critical

Description

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

References

https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html

https://github.com/webpack/loader-utils/issues/212

https://www.securityweek.com/atlassian-patches-critical-apache-tika-flaw/

https://securityaffairs.com/185710/security/atlassian-fixed-maximum-severity-flaw-cve-2025-66516-in-apache-tika.html

https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826

https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884

https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47

https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11

https://dl.acm.org/doi/pdf/10.1145/3488932.3497769

https://dl.acm.org/doi/abs/10.1145/3488932.3497769

http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf

Details

Source: Mitre, NVD

Published: 2022-10-12

Updated: 2024-05-14

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.15726