Exposed dangerous method or function in webpack-dev-server - CVE-2025-30359
Published: July 3, 2025
Vulnerability identifier: #VU112135
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-30359
CWE-ID: CWE-749
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: webpack
Affected software:
webpack-dev-server
webpack-dev-server
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the way the application handles script tags. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.
How to mitigate CVE-2025-30359
Install update from vendor's website.