#VU112135 Exposed dangerous method or function in webpack-dev-server - CVE-2025-30359
Published: July 3, 2025
Vulnerability identifier: #VU112135
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-30359
CWE-ID: CWE-749
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
webpack-dev-server
webpack-dev-server
Software vendor:
webpack
webpack
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the way the application handles script tags. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.
Remediation
Install update from vendor's website.