CVE-2022-37603
Description
A regular expression denial of service (ReDoS) vulnerability in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A regular expression denial of service (ReDoS) vulnerability in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Vulnerability
The Regular expression denial of service (ReDoS) flaw exists in the interpolateName function within interpolateName.js of webpack loader-utils version 2.0.0. The vulnerability is triggered through the url variable, which is processed by a regular expression that can degrade performance catastrophically when provided with a specially crafted input [1] [3].
Exploitation
An attacker can exploit this by supplying a malicious resource URL to the interpolateName function. Since this function is commonly used by webpack loaders to transform filenames, the attack vector is primarily through crafted module requests. The vulnerability does not require authentication, just the ability to pass a controlled string to the loader, which can occur in projects that handle user-supplied file paths or query parameters [2] [4].
Impact
Successful exploitation leads to a denial of service condition, where the application becomes unresponsive due to excessive CPU consumption. This can cause delays or complete failure of the webpack build process, affecting development workflows or production deployments relying on the loader [1].
Mitigation
The vendor has acknowledged the issue and it is recommended to update to a patched version of loader-utils. Users should avoid using version 2.0.0 and instead upgrade to a newer release that addresses the ReDoS vulnerability. No workaround is currently available other than upgrading [1] [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
loader-utilsnpm | >= 1.0.0, < 1.4.2 | 1.4.2 |
loader-utilsnpm | >= 2.0.0, < 2.0.4 | 2.0.4 |
loader-utilsnpm | >= 3.0.0, < 3.2.1 | 3.2.1 |
Affected products
2- webpack/loader-utilsdescription
Patches
317cbf8fa8989fix: ReDoS problem (#226)
1 file changed · +1 −1
lib/interpolateName.js+1 −1 modified@@ -108,7 +108,7 @@ function interpolateName(loaderContext, name, options) { // `hash` and `contenthash` are same in `loader-utils` context // let's keep `hash` for backward compatibility .replace( - /\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, + /\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, (all, hashType, digestType, maxLength) => getHashDigest(content, hashType, digestType, parseInt(maxLength, 10)) )
ac09944dfacdfix: ReDoS problem (#225)
1 file changed · +1 −1
lib/interpolateName.js+1 −1 modified@@ -108,7 +108,7 @@ function interpolateName(loaderContext, name, options) { // `hash` and `contenthash` are same in `loader-utils` context // let's keep `hash` for backward compatibility .replace( - /\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, + /\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, (all, hashType, digestType, maxLength) => getHashDigest(content, hashType, digestType, parseInt(maxLength, 10)) )
d2d752d59629fix: ReDoS problem (#224)
2 files changed · +991 −897
lib/interpolateName.js+1 −1 modified@@ -76,7 +76,7 @@ function interpolateName(loaderContext, name, options = {}) { // `hash` and `contenthash` are same in `loader-utils` context // let's keep `hash` for backward compatibility .replace( - /\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, + /\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, (all, hashType, digestType, maxLength) => getHashDigest(content, hashType, digestType, parseInt(maxLength, 10)) );
yarn.lock+990 −896 modified
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- github.com/advisories/GHSA-3rfm-jhwj-7488ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2022-37603ghsaADVISORY
- github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.jsghsaWEB
- github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.jsghsaWEB
- github.com/webpack/loader-utils/commit/17cbf8fa8989c1cb45bdd2997aa524729475f1faghsaWEB
- github.com/webpack/loader-utils/commit/ac09944dfacd7c4497ef692894b09e63e09a5eebghsaWEB
- github.com/webpack/loader-utils/commit/d2d752d59629daee38f34b24307221349c490eb1ghsaWEB
- github.com/webpack/loader-utils/issues/213ghsaWEB
- github.com/webpack/loader-utils/issues/216ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SMghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSUghsaWEB
News mentions
0No linked articles in our index yet.