[CVE-2022-37603]/ReDoS found in interpolateName.js

[secdevlpr26]

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
The prototype pollution vulnerability can be mitigated with several best practices described here: https://learn.snyk.io/lessons/prototype-pollution/javascript/

[alexander-akait]

Please migrate to 3 version, 2 version is deprecated and doesn't supported, thank you

[LucasLopesr]

same problem in version 3.2.0

[Ginxo]

@JSMike @alexander-akait
what about this PR #217 where v2 is also fixed?
Version 2.0.3 already published https://www.npmjs.com/package/loader-utils/v/2.0.3
Thanks

[TomasHofman]

PR #217 doesn't fix this vulnerability. It's for CVE-2022-37601.

[carnil]

#225 fixes as well this issue for the 2.0.x version?

[alexander-akait]

Yes, backported to all versions (except 0.x)

[carnil]

Thanks for the confirmation!

[esther0012]

How can I change the version?

[alexander-akait]

Just update transitive deps - rm -rf package-lock.json && rm -rf node_modules && npm i (note - it will update all transitive deps)