vulnerability

Red Hat: CVE-2025-30359: webpack-dev-server: webpack-dev-server information exposure

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:H/Au:N/C:C/I:N/A:N)	Jun 3, 2025	Jul 9, 2025	Jul 10, 2025

Severity

CVSS

(AV:N/AC:H/Au:N/C:C/I:N/A:N)

Published

Jun 3, 2025

Added

Jul 9, 2025

Modified

Jul 10, 2025

Description

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code. Version 5.2.1 contains a patch for the issue.

Solution

no-fix-redhat-rpm-package

References

NVD-CVE-2025-30359

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today