[CVE-2022-37601]/Prototype pollution found in parseQuery.js

[secdevlpr26]

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

The prototype pollution vulnerability can be mitigated with several best practices described here: https://learn.snyk.io/lessons/prototype-pollution/javascript/

[alexander-akait]

Please migrate to 3 version, 2 version is deprecated and doesn't supported, thank you

[JSMike]

From the error report The issue is here:
https://github.com/webpack/loader-utils/blob/v2.0.2/lib/parseQuery.js#L29

Because of the following result[name] assignments. This report seems to want const result = {}; to be const result = Object.create(null); if you're going to manipulate an object the way you are to avoid a prototype pollution exploit.

Per the reporting tool this was reported to you in: #212

[alexander-akait]

@JSMike Thank you, published https://github.com/webpack/loader-utils/releases/tag/v2.0.3

[matek075]

@JSMike Is this issue resolved in the new version or I have to overwrite pareQuery.js ?

[G-Rath]

@w3bdesign if Dependabot is still showing the vulnerability as open in your codebase but giving that message, then its because you've got multiple versions of loader-utils in the dependency tree, some of which are vulnerable but currently dependabot only sees the "first" one.

@alexander-akait I'm sorry I have to ask, but any chance of getting this backported to 1.x? It looks like this is commonly pulled in by babel-loader who have moved away from it as a dependency in v9 but that meant dropping webpack v4 support, and we're sadly still locked into v4 for a while longer due to setups like @rails/webpacker that are no longer maintained but require enough time and budget to move off that we can't just do it for all of our apps (😢)

As always I'm happy to do anything I can to make it less work for you 🙂

Turns out babel-loader was able to upgrade to v2 in a v8 patch before they released v9, so the v2 backport is sufficient 🎉

However resolve-url-loader is currently on v1 for their v3, so a backport would be useful for that...

[ashkulz]

@alexander-akait this also affects us, the dependency tree is

@vue/cli-service@5.0.8
  @vue/vue-loader@15.10.0
    loader-utils@1.4.0

There's no branch for 1.x else I'd have submitted a PR 😅 Hopefully the upstream issue vuejs/vue-cli#7323 is actioned soon 🤞

[ashkulz]

Thanks for the quick release of 1.4.1, @alexander-akait 🎉