Description
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Recommendation
Update the webpack package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.0.0, < 5.76.0
- Patched version(s): 5.76.0
References
Related Issues
- Opening a malicious website while running a Nuxt dev server could allow read-only access to code - @nuxt/webpack-builder - CVE-2025-24361
- tarteaucitron.js vulnerable to Cross-site Scripting - CVE-2023-3620
- vxe-table Cross-site Scripting vulnerability - CVE-2023-1001
- angular-ui-notification Cross-site Scripting vulnerability - CVE-2023-34840
You might also like:
- Tags:
- npm
- webpack
Anything's wrong? Let us know Last updated on October 30, 2023


