Cyber Resilience

CVE-2022-37601

CriticalPublic PoC

Published: 12 October 2022

Published
12 October 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1884 95.4th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-37601 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Webpack.Js Loader-Utils. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-37601 is a prototype pollution vulnerability in the parseQuery function within parseQuery.js of the webpack loader-utils package. The flaw occurs via the name variable and affects all versions prior to 1.4.1 and 2.0.3. It is tracked under CWE-1321 and carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation without authentication or user interaction.

An attacker able to supply crafted input to the parseQuery function can pollute JavaScript object prototypes in applications or build processes that depend on the vulnerable loader-utils versions. Successful exploitation can lead to arbitrary manipulation of object properties, resulting in impacts to confidentiality, integrity, and availability within the affected webpack-based environment.

The package maintainers addressed the issue by releasing fixed versions 1.4.1 and 2.0.3. The provided references include source code links to the affected parseQuery.js implementation along with academic papers examining JavaScript prototype pollution patterns, but contain no additional mitigation guidance beyond the version updates. The associated EPSS score has remained in a narrow band near 0.19 with no pronounced post-disclosure increase.

EU & UK References

Vulnerability details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

webpack.js
loader-utils
≤ 1.4.1 · 2.0.0 — 2.0.3
debian
debian linux
10.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References