Description
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Recommendation
Update the webpack package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.0.0, < 5.76.0
- Patched version(s): 5.76.0
References
Related Issues
- pg-promise SQL Injection vulnerability - CVE-2025-29744
- njwt Prototype Pollution vulnerability - CVE-2024-34273
- Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS - CVE-2024-43788
- Elliptic allows BER-encoded signatures - CVE-2024-42461
- Tags:
- npm
- webpack
Anything's wrong? Let us know Last updated on October 30, 2023