Security Vulnerabilities issue

[kundarsowjanya]

Hi,
I'm not using loader-utils directly in my package.json, but may be it has transitive dependency, and currently I'm using react-script v5,
but now I'm getting Security Vulnerabilities issue as

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js

and also I ran npm ls loader-utils, so the result is:

-- react-scripts@5.0.1 +-- @pmmmwh/react-refresh-webpack-plugin@0.5.8 | -- loader-utils@2.0.2
+-- @svgr/webpack@5.5.0
| -- loader-utils@2.0.2 deduped +-- babel-loader@8.2.5 | -- loader-utils@2.0.2 deduped
+-- file-loader@6.2.0
| -- loader-utils@2.0.2 deduped +-- react-dev-utils@12.0.1 | -- loader-utils@3.2.0
-- resolve-url-loader@4.0.0 +-- adjust-sourcemap-loader@4.0.0 | -- loader-utils@2.0.2 deduped
`-- loader-utils@2.0.2 deduped

could you please give me the suggestion how to fix this.

Thanks
Sowjanya

[alexander-akait]

loader-utils 2.0.0 is deprecated, please ask developers to update to v3 (even more, you don't need in most of cases loader-utils 2.0.0, because most of feature were moved to webpack itself)

[Donhv]

loader-utils 2.0.0 is deprecated, please ask developers to update to v3 (even more, you don't need in most of cases loader-utils 2.0.0, because most of feature were moved to webpack itself)

i see webpack have no plan to update loader-utils version. they still use v2.
i tried to force use v3 by resolutions but got error loaderUtils.getOptions

[kundarsowjanya]

Hi, even after using v3 still getting same error

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 3.0.0 via the resourcePath variable in interpolateName.js

[jenilG]

We are also facing the same issue with 3.0.2

[alexander-akait]

I can't reproduce it using v3:

akait@akait-notebook:~/IdeaProjects/css-minimizer-webpack-plugin$ npm i loader-utils

added 1 package, and audited 1102 packages in 2s

156 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
akait@akait-notebook:~/projects/project$ npm audit
found 0 vulnerabilities
akait@akait-notebook:~/projects/project$ 

[alexander-akait]

And also I think there is a problem with a security tool, becaue I can't reproduce ReDos using https://github.com/webpack/loader-utils/blob/master/lib/interpolateName.js#L51

[alexander-akait]

So if somebody have an example of this exploit - PR welcome or write me on sheo13666q @ gmail.com, I am glad to fix it, but can't find a way how it is possible to use reproduce (that is why I think there is a problem with security tools)

[mdlkumaran]

Facing same issue

npm audit
(Use node --trace-warnings ... to show where the warning was created)

npm audit report

loader-utils ≤ 3.2.0
Severity: high
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js. - https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38,https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L83,https://github.com/webpack/loader-utils/issues/211
fix available via npm audit fix --force
Will install @angular-devkit/build-angular@13.0.4, which is a breaking change
node_modules/loader-utils
@angular-devkit/build-angular >=13.1.0-next.0
Depends on vulnerable versions of loader-utils
node_modules/@angular-devkit/build-angular

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

[alexander-akait]

Please avoid duplicate, because it doesn't help, thank you

[v-pasha2]

is there any solution for this i am seeing this for version 3.2.0 as well ?

[angularDevEng]

any news?

[alexander-akait]

Please read my comments above, looks like it is false positive in security system, please report them

[JSMike]

Disregard, comment meant for #212

[alexander-akait]

@JSMike Thank for CVE-2022-37601, I will fix it, but the original issue about the security problem in interpolateName.js, and file and line is wrong