Miggo Logo
Miggo Vulnerability Database
CVE-2022-37599

CVE-2022-37599: loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-37599
GHSA ID
GHSA-hhq3-ff78-jv3g
EPSS Score
0.89291%
CWE
CWE-400
Published
10/12/2022
Updated
4/22/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
loader-utilsnpm>= 1.0.0, < 1.4.21.4.2
loader-utilsnpm>= 2.0.0, < 2.0.42.0.4
loader-utilsnpm>= 3.0.0, < 3.2.13.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was explicitly tied to the interpolateName function handling resourcePath through a vulnerable regex pattern. The GitHub patch shows the regex was modified from [^:]] to [^[]:] in the capture group, specifically to prevent ReDoS by reducing backtracking complexity. Multiple sources (CVE description, commit diff, advisory references) all point to this function and regex as the attack vector. The function's role in processing untrusted resourcePath values makes it the clear entry point for crafted malicious inputs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r**ul*r *xpr*ssion **ni*l o* s*rvi** (R**oS) *l*w w*s *oun* in *un*tion int*rpol*t*N*m* in int*rpol*t*N*m*.js in w**p**k lo***r-utils vi* t** r*sour**P*t* v*ri**l* in int*rpol*t*N*m*.js. * ***ly or m*li*iously *orm** strin* *oul* ** us** to s*n* *r

Reasoning

T** vuln*r**ility w*s *xpli*itly ti** to t** int*rpol*t*N*m* *un*tion **n*lin* r*sour**P*t* t*rou** * vuln*r**l* r***x p*tt*rn. T** *it*u* p*t** s*ows t** r***x w*s mo*i*i** *rom [^:\]] to [^[\]:] in t** **ptur* *roup, sp**i*i**lly to pr*v*nt R**oS *