You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Source code may be stolen when you access a malicious web site.
Details
Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables.
By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.
This script uses the function generated by renderRequire.
// The require functionfunction__webpack_require__(moduleId){// Check if module is in cachevarcachedModule=__webpack_module_cache__[moduleId];if(cachedModule!==undefined){returncachedModule.exports;}// Create a new module (and put it into the cache)varmodule=__webpack_module_cache__[moduleId]={// no module.id needed// no module.loaded neededexports: {}};// Execute the module functionvarexecOptions={id: moduleId,module: module,factory: __webpack_modules__[moduleId],require: __webpack_require__};__webpack_require__.i.forEach(function(handler){handler(execOptions);});module=execOptions.module;execOptions.factory.call(module.exports,module,module.exports,execOptions.require);// Return the exports of the modulereturnmodule.exports;}
Especially, it uses the fact that Array::forEach is called for __webpack_require__.i and execOptions contains __webpack_require__.
It uses prototype pollution against Array::forEach to extract __webpack_require__ reference.
Impact
This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.
Old content
Summary
Source code may be stolen when you use output.iife: false and access a malicious web site.
Details
When output.iife: false is set, some global variables for the webpack runtime are declared on the window object (e.g. __webpack_modules__).
Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on the window object.
By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.
I pointed out output.iife: false, but if there are other options that makes the webpack runtime variables to be declared on the window object, the same will apply for those cases.
This vulnerability can result in the source code to be stolen for users that has output.iife: false option set and uses a predictable port and output path for the entrypoint script.
related commit: webpack/webpack-dev-server@72efaab (note that checkHost function was only used for Host header to prevent DNS rebinding attacks so this change itself is fine.
cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header
The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.
Bug Fixes
prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)
cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header
The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.
Bug Fixes
prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
This PR contains the following updates:
3.11.0->5.2.1Warning
Some dependencies could not be looked up. Check the warning logs for more information.
GitHub Vulnerability Alerts
CVE-2025-30359
Summary
Source code may be stolen when you access a malicious web site.
Details
Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject
<script src="http://localhost:8080/main.js">in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables.By using
Function::toStringagainst the values in__webpack_modules__, the attacker can get the source code.PoC
npm inpx webpack-dev-serverhttps://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/image
The script in the POC site is:
This script uses the function generated by
renderRequire.Especially, it uses the fact that
Array::forEachis called for__webpack_require__.iandexecOptionscontains__webpack_require__.It uses prototype pollution against
Array::forEachto extract__webpack_require__reference.Impact
This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.
Old content
Summary
Source code may be stolen when you use
output.iife: falseand access a malicious web site.Details
When
output.iife: falseis set, some global variables for the webpack runtime are declared on thewindowobject (e.g.__webpack_modules__).Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject
<script src="http://localhost:8080/main.js">in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on thewindowobject.By using
Function::toStringagainst the values in__webpack_modules__, the attacker can get the source code.I pointed out
output.iife: false, but if there are other options that makes the webpack runtime variables to be declared on thewindowobject, the same will apply for those cases.PoC
npm inpx webpack-dev-serverhttps://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/src/index.jsand other scripts loaded.image
The script in the POC site is:
Impact
This vulnerability can result in the source code to be stolen for users that has
output.iife: falseoption set and uses a predictable port and output path for the entrypoint script.CVE-2025-30360
Summary
Source code may be stolen when you access a malicious web site with non-Chromium based browser.
Details
The
Originheader is checked to prevent Cross-site WebSocket hijacking from happening which was reported by CVE-2018-14732.But webpack-dev-server always allows IP address
Originheaders.https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127
This allows websites that are served on IP addresses to connect WebSocket.
By using the same method described in the article linked from CVE-2018-14732, the attacker get the source code.
related commit: webpack/webpack-dev-server@72efaab (note that
checkHostfunction was only used for Host header to prevent DNS rebinding attacks so this change itself is fine.This vulnerability does not affect Chrome 94+ (and other Chromium based browsers) users due to the non-HTTPS private access blocking feature.
PoC
npm inpx webpack-dev-serverhttp://{ipaddress}/?target=http://localhost:8080&file=mainwith a non-Chromium browser (I used Firefox 134.0.1)src/index.jsin the extracted directorysrc/index.jsimage
The script in the POC site is:
Impact
This vulnerability can result in the source code to be stolen for users that uses a predictable port and uses a non-Chromium based browser.
Release Notes
webpack/webpack-dev-server (webpack-dev-server)
v5.2.1Compare Source
Security
Access-Control-Allow-OriginheaderOriginheader are not allowed to connect to WebSocket server unless configured byallowedHostsor it different from theHostheaderThe above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.
Bug Fixes
v5.2.0Compare Source
Features
getClientEntryandgetClientHotEntrymethods to get clients entries (dc642a8)Bug Fixes
v5.1.0Compare Source
Features
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148)serveroption to beFunction(#5275) (02a1c6d)connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)Bug Fixes
platformproperty to determinate the target (#5269) (c3b532c)rimrafwithrm(#5162) (1a1561f)devServer: false(#5272) (8b341cb)5.0.4 (2024年03月19日)
Bug Fixes
5.0.3 (2024年03月12日)
Bug Fixes
5.0.2 (2024年02月16日)
Bug Fixes
5.0.1 (2024年02月13日)
Bug Fixes
require-trusted-types-for(#5046) (e115436)v5.0.4Compare Source
Security
Access-Control-Allow-OriginheaderOriginheader are not allowed to connect to WebSocket server unless configured byallowedHostsor it different from theHostheaderThe above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.
Bug Fixes
v5.0.3Compare Source
Features
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148)serveroption to beFunction(#5275) (02a1c6d)connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)Bug Fixes
platformproperty to determinate the target (#5269) (c3b532c)rimrafwithrm(#5162) (1a1561f)devServer: false(#5272) (8b341cb)5.0.4 (2024年03月19日)
Bug Fixes
5.0.3 (2024年03月12日)
Bug Fixes
5.0.2 (2024年02月16日)
Bug Fixes
5.0.1 (2024年02月13日)
Bug Fixes
require-trusted-types-for(#5046) (e115436)v5.0.2Compare Source
Features
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148)serveroption to beFunction(#5275) (02a1c6d)connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)Bug Fixes
platformproperty to determinate the target (#5269) (c3b532c)rimrafwithrm(#5162) (1a1561f)devServer: false(#5272) (8b341cb)5.0.4 (2024年03月19日)
Bug Fixes
5.0.3 (2024年03月12日)
Bug Fixes
5.0.2 (2024年02月16日)
Bug Fixes
5.0.1 (2024年02月13日)
Bug Fixes
require-trusted-types-for(#5046) (e115436)v5.0.1Compare Source
Features
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148)serveroption to beFunction(#5275) (02a1c6d)connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)Bug Fixes
platformproperty to determinate the target (#5269) (c3b532c)rimrafwithrm(#5162) (1a1561f)devServer: false(#5272) (8b341cb)5.0.4 (2024年03月19日)
Bug Fixes
5.0.3 (2024年03月12日)
Bug Fixes
5.0.2 (2024年02月16日)
Bug Fixes
5.0.1 (2024年02月13日)
Bug Fixes
require-trusted-types-for(#5046) (e115436)v5.0.0Compare Source
Features
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148)serveroption to beFunction(#5275) (02a1c6d)connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)Bug Fixes
platformproperty to determinate the target (#5269) (c3b532c)rimrafwithrm(#5162) (1a1561f)devServer: false(#5272) (8b341cb)5.0.4 (2024年03月19日)
Bug Fixes
5.0.3 (2024年03月12日)
Bug Fixes
5.0.2 (2024年02月16日)
Bug Fixes
5.0.1 (2024年02月13日)
Bug Fixes
require-trusted-types-for(#5046) (e115436)v4.15.2Compare Source
4.15.2 (2024年03月20日)
Bug Fixes
v4.15.1Compare Source
Migration Guide and Changes.
4.15.1 (2023年06月09日)
Bug Fixes
::withlocalhostbefore openBrowser() (#4856) (874c44b)@types/ws(#4899) (34bcec2)v4.15.0Compare Source
Migration Guide and Changes.
4.15.1 (2023年06月09日)
Bug Fixes
::withlocalhostbefore openBrowser() (#4856) (874c44b)@types/ws(#4899) (34bcec2)v4.14.0Compare Source
Features
4.13.3 (2023年04月15日)
Bug Fixes
4.13.2 (2023年03月31日)
Bug Fixes
4.13.1 (2023年03月18日)
Bug Fixes
v4.13.3Compare Source
Features
4.13.3 (2023年04月15日)
Bug Fixes
4.13.2 (2023年03月31日)
Bug Fixes
4.13.1 (2023年03月18日)
Bug Fixes
v4.13.2Compare Source
Features
4.13.3 (2023年04月15日)
Bug Fixes
4.13.2 (2023年03月31日)
Bug Fixes
4.13.1 (2023年03月18日)
Bug Fixes
v4.13.1Compare Source
Features
4.13.3 (2023年04月15日)
Bug Fixes
4.13.2 (2023年03月31日)
Bug Fixes
4.13.1 (2023年03月18日)
Bug Fixes
v4.13.0Compare Source
Features
4.13.3 (2023年04月15日)
Bug Fixes
4.13.2 (2023年03月31日)
Bug Fixes
4.13.1 (2023年03月18日)
Bug Fixes
v4.12.0Compare Source
Features
sockjs_urloption (onlysockjs) using thewebSocketServer.options.sockjsUrloption (#4586) (69a2fba)Bug Fixes
experiments.buildHttp(#4585) (5b846cb)NODE_PATHenv variable (#4581) (b857e6f)4.11.1 (2022年09月19日)
Bug Fixes
client.loggingoption for all logs (#4572) (375835c)v4.11.1Compare Source
Features
sockjs_urloption (onlysockjs) using thewebSocketServer.options.sockjsUrloption (#4586) (69a2fba)Bug Fixes
experiments.buildHttp(#4585) (5b846cb)NODE_PATHenv variable (#4581) (b857e6f)4.11.1 (2022年09月19日)
Bug Fixes
client.loggingoption for all logs (#4572) (375835c)v4.11.0Compare Source
Features
sockjs_urloption (onlysockjs) using thewebSocketServer.options.sockjsUrloption (#4586) (69a2fba)Bug Fixes
experiments.buildHttp(#4585) (5b846cb)NODE_PATHenv variable (#4581) (b857e6f)4.11.1 (2022年09月19日)
Bug Fixes
client.loggingoption for all logs (#4572) (375835c)v4.10.1Compare Source
Features
Bug Fixes
4.10.1 (2022年08月29日)
Bug Fixes
v4.10.0Compare Source
Features
Bug Fixes
4.10.1 (2022年08月29日)
Bug Fixes
v4.9.3Compare Source
Features
clientoptions via resource URL (#4274) (216e3cb)Bug Fixes
4.9.3 (2022年06月29日)
Bug Fixes
4.9.2 (2022年06月06日)
Bug Fixes
@types/serve-staticto dependencies (#4468) (af83deb)4.9.1 (2022年05月31日)
Bug Fixes
v4.9.2Compare Source
Features
clientoptions via resource URL (#4274) (216e3cb)Bug Fixes
4.9.3 (2022年06月29日)
Bug Fixes
4.9.2 (2022年06月06日)
Bug Fixes
@types/serve-staticto dependencies (#4468) (af83deb)4.9.1 (2022年05月31日)
Bug Fixes
v4.9.1Compare Source
Features
clientoptions via resource URL (#4274) (216e3cb)Bug Fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.