Skip to content

[Renovate] Update dependency loader-utils to v2.0.4 [SECURITY]#118

Open
appsec-renovate-bot[bot] wants to merge 1 commit into
masterfrom
renovate/npm-loader-utils-vulnerability
Open

[Renovate] Update dependency loader-utils to v2.0.4 [SECURITY]#118
appsec-renovate-bot[bot] wants to merge 1 commit into
masterfrom
renovate/npm-loader-utils-vulnerability

Conversation

@appsec-renovate-bot

@appsec-renovate-bot appsec-renovate-bot Bot commented Jun 10, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Type Update Change
loader-utils dependencies patch 2.0.02.0.4

Prototype pollution in webpack loader-utils

CVE-2022-37601 / GHSA-76p3-8jx3-jpfq

More information

Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils prior to version 2.0.3 via the name variable in parseQuery.js.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable

CVE-2022-37603 / GHSA-3rfm-jhwj-7488

More information

Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)

CVE-2022-37599 / GHSA-hhq3-ff78-jv3g

More information

Details

A regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils via the resourcePath variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

webpack/loader-utils (loader-utils)

v2.0.4

Compare Source

2.0.4 (2022-11-11)
Bug Fixes

v2.0.3

Compare Source

2.0.3 (2022-10-20)
Bug Fixes

v2.0.2

Compare Source

2.0.2 (2021-11-04)
Bug Fixes

v2.0.1

Compare Source

2.0.1 (2021-10-29)
Bug Fixes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@appsec-renovate-bot appsec-renovate-bot Bot changed the title [Renovate] Patch loader-utils to 2.0.4 [Renovate] Update dependency loader-utils to v2.0.4 [SECURITY] Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants