CVE-2022-37601
Published: 12 October 2022
Summary
CVE-2022-37601 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Webpack.Js Loader-Utils. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-37601 is a prototype pollution vulnerability in the parseQuery function within parseQuery.js of the webpack loader-utils package. The flaw occurs via the name variable and affects all versions prior to 1.4.1 and 2.0.3. It is tracked under CWE-1321 and carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation without authentication or user interaction.
An attacker able to supply crafted input to the parseQuery function can pollute JavaScript object prototypes in applications or build processes that depend on the vulnerable loader-utils versions. Successful exploitation can lead to arbitrary manipulation of object properties, resulting in impacts to confidentiality, integrity, and availability within the affected webpack-based environment.
The package maintainers addressed the issue by releasing fixed versions 1.4.1 and 2.0.3. The provided references include source code links to the affected parseQuery.js implementation along with academic papers examining JavaScript prototype pollution patterns, but contain no additional mitigation guidance beyond the version updates. The associated EPSS score has remained in a narrow band near 0.19 with no pronounced post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7042
Vulnerability details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.