A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Loader-utils | Webpack.js | 1.0.0 (including) | 1.4.2 (excluding) |
Loader-utils | Webpack.js | 2.0.0 (including) | 2.0.4 (excluding) |
Loader-utils | Webpack.js | 3.0.0 (including) | 3.2.1 (excluding) |
RHPAM 7.13.4 async | RedHat | loader-utils | * |
Node-loader-utils | Ubuntu | bionic | * |
Node-loader-utils | Ubuntu | kinetic | * |
Node-loader-utils | Ubuntu | lunar | * |
Node-loader-utils | Ubuntu | mantic | * |
Node-loader-utils | Ubuntu | trusty | * |
Node-loader-utils | Ubuntu | xenial | * |
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.