A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Loader-utils | Webpack.js | 1.0.0 (including) | 1.4.2 (excluding) |
Loader-utils | Webpack.js | 2.0.0 (including) | 2.0.4 (excluding) |
Loader-utils | Webpack.js | 3.0.0 (including) | 3.2.1 (excluding) |
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.