Platform
nodejs
Component
webpack
Fixed in
5.0.1
5.94.0
CVE-2024-43788 describes a DOM Clobbering vulnerability within Webpack's AutoPublicPathRuntimeModule that can lead to cross-site scripting (XSS). This occurs when scriptless, attacker-controlled HTML elements are present, enabling exploitation through DOM clobbering. The vulnerability affects webpack and has been observed in real-world scenarios like Canvas LMS. This issue is resolved in webpack version 5.94.0.
CVE-2024-43788 is a DOM Clobbering vulnerability discovered in Webpack's AutoPublicPathRuntimeModule. This vulnerability allows an attacker to inject malicious JavaScript code into a web page by exploiting the ability to overwrite global DOM (Document Object Model) properties through attacker-controlled HTML elements. The vulnerability manifests when Webpack generates code that utilizes global DOM variables without proper validation. An attacker can manipulate attributes like name in <img> tags to overwrite these variables, potentially leading to arbitrary code execution in the victim's browser. The primary impact is the possibility of Cross-Site Scripting (XSS) attacks, compromising user security and confidentiality.
The vulnerability was discovered and demonstrated in the Canvas LMS, where an attacker can inject JavaScript code through HTML element attributes, specifically the name attribute of an <img> tag. Webpack, when processing this code, generates a module that is susceptible to DOM Clobbering. The attacker can then manipulate this module to overwrite global DOM variables, enabling the execution of malicious code. This scenario highlights the importance of validating and sanitizing input data in web applications that use Webpack, especially when handling user-provided data. The vulnerability is exploited due to the way Webpack handles automatic public paths and interaction with the DOM.
Exploit Status
EPSS
1.77% (83% percentile)
CISA SSVC
The primary mitigation for CVE-2024-43788 is to upgrade to Webpack version 5.94.0 or higher. This version includes a fix that prevents the unwanted overwriting of DOM properties. Additionally, a thorough review of Webpack-generated code is recommended to identify potential entry points for DOM Clobbering attacks. Implementing rigorous validation and sanitization of input data, especially from untrusted sources, is crucial. Considering the use of Content Security Policy (CSP) to restrict allowed script sources on the web page can help mitigate the impact of a successful XSS attack. Finally, keeping Webpack dependencies updated is a fundamental security practice.
Actualice webpack a la versión 5.94.0 o superior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) causada por un gadget DOM Clobbering en el AutoPublicPathRuntimeModule. La actualización evitará la ejecución de código malicioso inyectado a través de elementos HTML controlados por el atacante.
Vulnerability analysis and critical alerts directly to your inbox.
DOM Clobbering is an attack technique that allows an attacker to overwrite global DOM variables, potentially leading to arbitrary code execution.
Version 5.94.0 of Webpack includes a fix that prevents the DOM Clobbering vulnerability.
Perform a thorough review of Webpack-generated code and apply data validation and sanitization measures.
Configure CSP to restrict allowed script sources on the web page.
Yes, there are static and dynamic analysis tools that can help detect DOM Clobbering vulnerabilities in Webpack code.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.