[CVE-2022-37599]/ReDos found in interpolateName.js

[secdevlpr26]

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

The prototype pollution vulnerability can be mitigated with several best practices described here: https://learn.snyk.io/lessons/prototype-pollution/javascript/

[alexander-akait]

Please migrate to 3 version, 2 version is deprecated and doesn't supported, thank you

[nalbion]

@Supraja9726 There is no information regarding CVE-2022-37599 on any of the usual sites. Does migrating to version 3 resolve the issue? Can this vulnerability be ignored by projects?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37599

[bholloway]

Please migrate to 3 version, 2 version is deprecated and doesn't supported, thank you

From what I can see loader.getOptions() was removed in version 3 and the loader this. getOptions() was introduced webpack@5 meaning there is no solution here for webpack@4 and earlier.

I accept that updating to version 3 is not much of an ask but updating older projects to webpack@5 is a stretch. Is there some other workaround?

[Yogu]

This issue is linked in an npm advisory for version 3.2.0 of this library. This occurs on a clean new angular project.

# npm audit report

loader-utils  ≤ 3.2.0
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js. - https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38,https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L83,https://github.com/webpack/loader-utils/issues/211
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@13.0.4, which is a breaking change
node_modules/loader-utils
  @angular-devkit/build-angular  >=13.1.0-next.0
  Depends on vulnerable versions of loader-utils
  node_modules/@angular-devkit/build-angular

I'm a bit confused - this issue here is closed and only talks about version 2. Is version 3.2.0 affected, too? Will there be a fix for it? Or is the advisory wrong?

Edit: I see this has been reported already in #214 (comment). It's probably an npm bug where npm gets confused about the dependency path. There's been tons of these issues around npm since version 8... (or the advisory for this package actually states that it affects 3.2.0. It states <= 3.2.0, is that a typo and should have been < 3.2.0?)

[alexander-akait]

Maybe this #215 too

[jeran-urban]

The main issues around Regex DOS attacks is in badly formed queries that are not strict enough, and no exit condition involving a time limit for processing. If you ensure that the query is perfectly formed or at least add an exit condition based on a time limit (a few seconds) then this should resolve the issue. More information here: https://www.regular-expressions.info/redos.html#Handling%20Regexes%20Provided%20by%20The%20User. I will drop this information on the other threads as I believe this is still a legitimate vulnerability in v 3.x as well

[carnil]

#225 fixes this issue as well for the 2.0.x version?

[alexander-akait]

Yes, backported to all versions (except 0.x)