{"id":"CVE-2022-37601","details":"Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.","aliases":["GHSA-76p3-8jx3-jpfq"],"modified":"2026-03-20T12:12:44.764543Z","published":"2022-10-12T20:15:11.263Z","related":["CGA-77fm-r23v-c6ww"],"references":[{"type":"WEB","url":"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11"},{"type":"WEB","url":"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html"},{"type":"REPORT","url":"https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826"},{"type":"REPORT","url":"https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884"},{"type":"REPORT","url":"https://github.com/webpack/loader-utils/issues/212"},{"type":"ARTICLE","url":"http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf"},{"type":"ARTICLE","url":"https://dl.acm.org/doi/abs/10.1145/3488932.3497769"},{"type":"ARTICLE","url":"https://dl.acm.org/doi/pdf/10.1145/3488932.3497769"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/webpack/loader-utils","events":[{"introduced":"0"},{"fixed":"8f082b39f6903929f30fe29dab34f4d9c7ef070a"},{"introduced":"d9f4e23cf411d8556f8bac2d3bf05a6e0103b568"},{"fixed":"7162619fb982c394ed75098a0a0ed7e7f3177c70"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.4.1"},{"introduced":"2.0.0"},{"fixed":"2.0.3"}]}}],"versions":["v2.0.0","v2.0.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-37601.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}