SB2025070317 - Multiple vulnerabilities in webpack-dev-server
Published: July 3, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Origin validation error (CVE-ID: CVE-2025-30360)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect Origin validation in webpack-dev-server/lib/Server.js. A remote attacker can trick the application into connecting to a malicious website with a non-Chromium browser and and share its source code with it, a.k.a. cross-site WebSocket hijacking.
2) Exposed dangerous method or function (CVE-ID: CVE-2025-30359)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the way the application handles script tags. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.
Remediation
Install update from vendor's website.
References
- https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127
- https://github.com/webpack/webpack-dev-server/commit/5c9378bb01276357d7af208a0856ca2163db188e
- https://github.com/webpack/webpack-dev-server/commit/72efaab83381a0e1c4914adf401cbd210b7de7eb
- https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h
- https://github.com/webpack/webpack-dev-server/commit/d2575ad8dfed9207ed810b5ea0ccf465115a2239
- https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v