CVE-2022-37601
Description
Prototype pollution in webpack loader-utils parseQuery function allows attackers to inject properties into Object prototype.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in webpack loader-utils parseQuery function allows attackers to inject properties into Object prototype.
Vulnerability
Overview
CVE-2022-37601 is a prototype pollution vulnerability in the parseQuery function within parseQuery.js of the popular Node.js library webpack/loader-utils [1]. The flaw arises because the function unsafely handles the name variable, allowing an attacker to inject properties into the global Object.prototype when parsing crafted query strings [1]. Prototype pollution is a common JavaScript vulnerability that can lead to unexpected behavior across an application, potentially affecting any code that relies on the standard object prototype.
Exploitation
Details
To exploit this vulnerability, an attacker must be able to supply a malicious query string to a loader that uses loader-utils's parseQuery function. This typically requires control over input passed into a webpack configuration or a build pipeline, such as via a crafted URL or build argument [2]. No authentication is required per se, but the attacker must have a way to influence the query string processed by the library. The prototype pollution occurs during the parsing of the query string, where the name variable is used to set properties on an object without proper sanitization [1].
Potential
Impact
A successful prototype pollution attack can allow the attacker to set arbitrary properties on the global Object.prototype [1]. This can lead to various downstream security issues, including denial of service (via property overwrites), elevation of privilege in some contexts, and potentially remote code execution if polluted properties are used in security-sensitive operations. The impact is highly dependent on how the application uses the polluted property, but the underlying bug provides a foundational primitive for further exploitation.
Mitigation
Status
The vulnerability affects all versions of webpack/loader-utils prior to 1.4.1 and 2.0.3 [1]. The maintainers have released patched versions that fix the prototype pollution in the parseQuery function. Users are strongly advised to update to version 1.4.1 (for the 1.x branch) or 2.0.3 (for the 2.x branch) to mitigate the risk [1][2]. The fix involves proper sanitization of the parsed query string to prevent pollution of the prototype chain.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
loader-utilsnpm | >= 2.0.0, < 2.0.3 | 2.0.3 |
loader-utilsnpm | < 1.4.1 | 1.4.1 |
Affected products
8- webpack/loader-utilsdescription
- osv-coords7 versionspkg:apk/chainguard/jitsucom-jitsupkg:apk/chainguard/jitsucom-jitsu-consolepkg:apk/chainguard/jitsucom-jitsu-rotorpkg:apk/wolfi/jitsucom-jitsupkg:apk/wolfi/jitsucom-jitsu-consolepkg:apk/wolfi/jitsucom-jitsu-rotorpkg:npm/loader-utils
< 2.11.0-r6+ 6 more
- (no CPE)range: < 2.11.0-r6
- (no CPE)range: < 2.11.0-r6
- (no CPE)range: < 2.11.0-r6
- (no CPE)range: < 2.11.0-r6
- (no CPE)range: < 2.11.0-r6
- (no CPE)range: < 2.11.0-r6
- (no CPE)range: >= 2.0.0, < 2.0.3
Patches
34504e34c4796fix: security problem (#220)
1 file changed · +1 −1
lib/parseQuery.js+1 −1 modified@@ -26,7 +26,7 @@ function parseQuery(query) { } const queryArgs = query.split(/[,&]/g); - const result = {}; + const result = Object.create(null); queryArgs.forEach((arg) => { const idx = arg.indexOf('=');
a93cf6f47020fix(security): prototype polution exploit (#217)
1 file changed · +1 −1
lib/parseQuery.js+1 −1 modified@@ -26,7 +26,7 @@ function parseQuery(query) { } const queryArgs = query.split(/[,&]/g); - const result = {}; + const result = Object.create(null); queryArgs.forEach((arg) => { const idx = arg.indexOf('=');
f4e48a232faefix: Resolve potential prototype polution exploit
1 file changed · +1 −1
lib/parseQuery.js+1 −1 modified@@ -26,7 +26,7 @@ function parseQuery(query) { } const queryArgs = query.split(/[,&]/g); - const result = {}; + const result = Object.create(null); queryArgs.forEach((arg) => { const idx = arg.indexOf('=');
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
18- github.com/advisories/GHSA-76p3-8jx3-jpfqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-37601ghsaADVISORY
- users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdfghsaWEB
- dl.acm.org/doi/abs/10.1145/3488932.3497769ghsaWEB
- dl.acm.org/doi/pdf/10.1145/3488932.3497769ghsaWEB
- github.com/webpack/loader-utils/commit/4504e34c4796a5836ef70458327351675aed48a5ghsaWEB
- github.com/webpack/loader-utils/commit/a93cf6f4702012030f6b5ee8340d5c95ec1c7d4cghsaWEB
- github.com/webpack/loader-utils/commit/f4e48a232fae900237c3e5ff7b57ce9e1c734de1ghsaWEB
- github.com/webpack/loader-utils/issues/212ghsaWEB
- github.com/webpack/loader-utils/issues/212ghsaWEB
- github.com/webpack/loader-utils/pull/217ghsaWEB
- github.com/webpack/loader-utils/pull/220ghsaWEB
- github.com/webpack/loader-utils/releases/tag/v1.4.1ghsaWEB
- github.com/webpack/loader-utils/releases/tag/v2.0.3ghsaWEB
- github.com/xmldom/xmldom/issues/436ghsaWEB
- lists.debian.org/debian-lts-announce/2022/12/msg00044.htmlghsamailing-listWEB
- github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.jsmitre
- github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.jsmitre
News mentions
0No linked articles in our index yet.