CVE-2025-30359

Published: Jun 3, 2025

Modified: Jun 3, 2025

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code. Version 5.2.1 contains a patch for the issue.

Vendor	Product	Versions
webpack	webpack-dev-server	affected `< 5.2.1`

Weaknesses (CWE)

CWE-749

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v

x_refsource_CONFIRM

https://github.com/webpack/webpack-dev-server/commit/d2575ad8dfed9207ed810b5ea0ccf465115a2239

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-30359

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References