Cross-Site Scripting in webpack-bundle-analyzer

Description

Versions of webpack-bundle-analyzer prior to 3.3.2 are vulnerable to Cross-Site Scripting. The package uses JSON.stringify() without properly escaping input which may lead to Cross-Site Scripting.

Recommendation

Update the webpack-bundle-analyzer package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.3.2
• Patched version(s): 3.3.2

References

• GHSA-pgr8-jg6h-8gw6
• snyk.io
• www.npmjs.com
• CWE-79
• OWASP 2021-A3

Related Issues

• Vega has Cross-site Scripting vulnerability in `lassoAppend` function - CVE-2023-26487
• @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details - CVE-2022-39350
• Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019
• Bootstrap Cross-site Scripting vulnerability - bootstrap - GHSA-pj7m-g53m-7638 - CVE-2018-14041

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

webpack-bundle-analyzer