Current behavior
installed version is 1.4.0
Desired behavior
Upgrade fix version is 2.0.3
Test code to reproduce
Cypress Version
13.3.3
Node version
16.20.2
Operating System
Debug Logs
"VulnerabilityID": "CVE-2022-37601",
"InstalledVersion": "1.4.0",
"LastModifiedDate": "2023-02-28T15:02:00Z"
},
{
"CVSS": {
"nvd": {
"V3Score": 9.8,
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"ghsa": {
"V3Score": 9.8,
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"redhat": {
"V3Score": 8.1,
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
},
"Layer": {
"DiffID": "sha256:e2ddedde812d03ee158150d58a19d4458068fc655e610b0b0e3e95b10b30c6af"
},
"PkgID": "loader-utils@1.4.0",
"Title": "prototype pollution in function parseQuery in parseQuery.js",
"CweIDs": [
"CWE-1321"
],
"Status": "fixed",
"PkgName": "loader-utils",
"PkgPath": "src/.artifacts/.cache/Cypress/13.3.3/Cypress/resources/app/node_modules/loader-utils/package.json",
"Severity": "CRITICAL",
"DataSource": {
"ID": "ghsa",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm",
"Name": "GitHub Security Advisory npm"
},
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-37601",
"References": [
"http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf",
"https://access.redhat.com/security/cve/CVE-2022-37601",
"https://dl.acm.org/doi/abs/10.1145/3488932.3497769",
"https://dl.acm.org/doi/pdf/10.1145/3488932.3497769",
"https://github.com/webpack/loader-utils",
"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11",
"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47",
"https://github.com/webpack/loader-utils/commit/4504e34c4796a5836ef70458327351675aed48a5",
"https://github.com/webpack/loader-utils/commit/a93cf6f4702012030f6b5ee8340d5c95ec1c7d4c",
"https://github.com/webpack/loader-utils/commit/f4e48a232fae900237c3e5ff7b57ce9e1c734de1",
"https://github.com/webpack/loader-utils/issues/212",
"https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884",
"https://github.com/webpack/loader-utils/pull/217",
"https://github.com/webpack/loader-utils/pull/220",
"https://github.com/webpack/loader-utils/releases/tag/v1.4.1",
"https://github.com/webpack/loader-utils/releases/tag/v2.0.3",
"https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826",
"https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html",
"https://nvd.nist.gov/vuln/detail/CVE-2022-37601",
"https://www.cve.org/CVERecord?id=CVE-2022-37601"
],
"Description": "Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.",
"FixedVersion": "2.0.3, 1.4.1",
"PublishedDate": "2022-10-12T20:15:00Z",Other
Current behavior
installed version is 1.4.0
Desired behavior
Upgrade fix version is 2.0.3
Test code to reproduce
Cypress Version
13.3.3
Node version
16.20.2
Operating System
Debug Logs
Other