Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-hhq3-ff78-jv3g] loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) #2906

Closed
wants to merge 1 commit into from
Closed

[GHSA-hhq3-ff78-jv3g] loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) #2906

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions advisories/github-reviewed/2022/10/GHSA-hhq3-ff78-jv3g/GHSA-hhq3-ff78-jv3g.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
{
"schema_version": "1.4.0",
"id": "GHSA-hhq3-ff78-jv3g",
"modified": "2022-11-22T22:52:15Z",
"modified": "2023-09-21T22:02:26Z",
"published": "2022-10-12T12:00:27Z",
"aliases": [
"CVE-2022-37599"
],
"summary": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)",
"details": "A regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils via the resourcePath variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.",
"details": "The ReDoS flaw in webpack loader-utils could be exploited by an attacker to cause a denial of service attack. To mitigate this vulnerability, you should upgrade to webpack loader-utils version 1.4.2, 2.0.4, or 3.2.1 or higher.\n\nIf you are unable to upgrade to a patched version of webpack loader-utils, you can mitigate the vulnerability by implementing your own regular expression matching function. This function should be designed to be resistant to ReDoS attacks.\n\nHere are some tips for implementing a ReDoS-resistant regular expression matching function:\n\nAvoid using backtracking in your regular expressions.\nUse fixed-width character classes whenever possible.\nUse lazy quantifiers instead of greedy quantifiers.\nSet a timeout on your regular expression matching function.\nHere is an example of a ReDoS-resistant regular expression matching function in Python:\n\n```\nimport re\n\ndef match_regex(regex, string, timeout=1):\n \"\"\"Matches a regular expression against a string, with a timeout.\n\n Args:\n regex: The regular expression to match.\n string: The string to match against.\n timeout: The maximum amount of time to spend matching the regular expression.\n\n Returns:\n True if the regular expression matches the string, False otherwise.\n \"\"\"\n\n regex = re.compile(regex, re.DOTALL)\n start_time = time.time()\n match = regex.match(string)\n end_time = time.time()\n if match and (end_time - start_time) <= timeout:\n return True\n else:\n return False\n```\n\nYou can use this function to match regular expressions against strings in your application, and it will help to protect you from ReDoS attacks.\n\nIn addition to mitigating the ReDoS vulnerability in webpack loader-utils, you should also take steps to protect your application from other types of denial of service attacks. This includes implementing rate limiting and other measures to prevent attackers from flooding your application with requests.",
"severity": [
{
"type": "CVSS_V3",
Expand Down Expand Up @@ -113,7 +113,8 @@
],
"database_specific": {
"cwe_ids": [
"CWE-400"
"CWE-400",
"CWE-79"
],
"severity": "HIGH",
"github_reviewed": true,
Expand Down
Loading