Skip to content

style-loader-2.0.0.tgz: 3 vulnerabilities (highest severity is: 9.8) unreachable #1993

New issue
New issue
Open
Open
style-loader-2.0.0.tgz: 3 vulnerabilities (highest severity is: 9.8) unreachable#1993
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
opened on Jan 29, 2025
Vulnerable Library - style-loader-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/coffee-loader/node_modules/loader-utils/package.json,/node_modules/sass-loader/node_modules/loader-utils/package.json,/node_modules/resolve-url-loader/node_modules/loader-utils/package.json,/node_modules/@rails/webpacker/node_modules/style-loader/node_modules/loader-utils/package.json,/node_modules/css-loader/node_modules/loader-utils/package.json,/node_modules/file-loader/node_modules/loader-utils/package.json,/node_modules/style-loader/node_modules/loader-utils/package.json

Found in HEAD commit: 1e5781423c543a0c9bfedb4c5a57ca049920974b

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (style-loader version) Remediation Possible** Reachability
CVE-2022-37601 Critical 9.8 Not Defined 2.3% loader-utils-2.0.0.tgz Transitive 3.0.0

Unreachable
CVE-2022-37603 High 7.5 Not Defined 1.5% loader-utils-2.0.0.tgz Transitive 3.0.0

Unreachable
CVE-2022-37599 High 7.5 Not Defined 0.3% loader-utils-2.0.0.tgz Transitive 3.0.0

Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-37601

Vulnerable Library - loader-utils-2.0.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/coffee-loader/node_modules/loader-utils/package.json,/node_modules/sass-loader/node_modules/loader-utils/package.json,/node_modules/resolve-url-loader/node_modules/loader-utils/package.json,/node_modules/@rails/webpacker/node_modules/style-loader/node_modules/loader-utils/package.json,/node_modules/css-loader/node_modules/loader-utils/package.json,/node_modules/file-loader/node_modules/loader-utils/package.json,/node_modules/style-loader/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • style-loader-2.0.0.tgz (Root Library)
    • loader-utils-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 1e5781423c543a0c9bfedb4c5a57ca049920974b

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

Publish Date: 2022-10-12

URL: CVE-2022-37601

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 2.3%

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 2.0.3

Direct dependency fix Resolution (style-loader): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-37603

Vulnerable Library - loader-utils-2.0.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/coffee-loader/node_modules/loader-utils/package.json,/node_modules/sass-loader/node_modules/loader-utils/package.json,/node_modules/resolve-url-loader/node_modules/loader-utils/package.json,/node_modules/@rails/webpacker/node_modules/style-loader/node_modules/loader-utils/package.json,/node_modules/css-loader/node_modules/loader-utils/package.json,/node_modules/file-loader/node_modules/loader-utils/package.json,/node_modules/style-loader/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • style-loader-2.0.0.tgz (Root Library)
    • loader-utils-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 1e5781423c543a0c9bfedb4c5a57ca049920974b

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.5%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3rfm-jhwj-7488

Release Date: 2022-10-14

Fix Resolution (loader-utils): 2.0.4

Direct dependency fix Resolution (style-loader): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-37599

Vulnerable Library - loader-utils-2.0.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/coffee-loader/node_modules/loader-utils/package.json,/node_modules/sass-loader/node_modules/loader-utils/package.json,/node_modules/resolve-url-loader/node_modules/loader-utils/package.json,/node_modules/@rails/webpacker/node_modules/style-loader/node_modules/loader-utils/package.json,/node_modules/css-loader/node_modules/loader-utils/package.json,/node_modules/file-loader/node_modules/loader-utils/package.json,/node_modules/style-loader/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • style-loader-2.0.0.tgz (Root Library)
    • loader-utils-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 1e5781423c543a0c9bfedb4c5a57ca049920974b

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

Publish Date: 2022-10-11

URL: CVE-2022-37599

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hhq3-ff78-jv3g

Release Date: 2022-10-11

Fix Resolution (loader-utils): 2.0.3

Direct dependency fix Resolution (style-loader): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions