4 matches found
CVE-2024-43788
CVE-2024-43788: Webpack’s AutoPublicPathRuntimeModule DOM clobbering enables XSS via scriptless HTML (e.g., unsanitized name/id attributes). Real-world exploitation observed in Canvas LMS. Fix is in Webpack release 5.94.0; upgrade recommended (no public workarounds documented).
CVE-2023-28154
CVE-2023-28154 affects Webpack 5 before 5.76.0. ImportParserPlugin.js mishandles the magic comment feature, allowing an attacker who controls a property of an untrusted object to obtain access to the real global object (cross-realm object access). CVSS v3.1 base score 9.8 (CRITICAL). Remediation:...
CVE-2025-68157
Webpack vulnerability CVE-2025-68157 affects the HttpUriPlugin when experiments.buildHttp is enabled. From 5.49.0 through versions before 5.104.0, allowedUris are validated only for the initial URL; redirects (HTTP 30x) are not re-validated, allowing an import restricted to a trusted allow-list t...
CVE-2025-68458
Webpack CVE-2025-68458 affects Webpack’s HTTP(S) resolver (HttpUriPlugin) when experiments.buildHttp is enabled. A crafted URL containing userinfo (username:password@host) can bypass allowedUris checks and cause the build process to request resources from internal or non-whitelisted hosts, enabli...