Platform
nodejs
Component
webpack-dev-server
Fixed in
5.2.2
5.2.1
CVE-2025-30359 is a prototype pollution vulnerability discovered in webpack-dev-server. This flaw allows an attacker to potentially extract source code from the server by injecting malicious scripts. The vulnerability impacts versions prior to 5.2.1 and can be mitigated by upgrading to the patched version or implementing robust origin policy controls.
The primary impact of CVE-2025-30359 is the potential exposure of source code. An attacker can inject a <script> tag into a malicious website, pointing to the webpack-dev-server's output. By leveraging prototype pollution, they can then access webpack runtime variables and, using Function::toString, extract the source code of the application. This could expose sensitive information, intellectual property, and potentially reveal vulnerabilities within the codebase itself. The blast radius is limited to applications using webpack-dev-server in development environments, but the exposure of source code can have significant consequences.
This vulnerability is publicly known and a proof-of-concept (PoC) exists. While no active exploitation campaigns have been confirmed, the ease of exploitation and the potential for source code exposure make it a concerning issue. The vulnerability was disclosed on 2025-06-04. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.17% (38% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-30359 is to upgrade to webpack-dev-server version 5.2.1 or later, which includes a fix for this vulnerability. If upgrading is not immediately feasible, consider implementing stricter origin policy checks within your webpack configuration to prevent the injection of external scripts. Additionally, review your development environment security practices to ensure that webpack-dev-server is not exposed to untrusted networks. After upgrading, confirm the fix by attempting to inject a malicious script tag and verifying that the server does not expose source code.
Update webpack-dev-server to version 5.2.1 or higher. This fixes the vulnerability that allows source code theft. Run `npm install webpack-dev-server@latest` or `yarn add webpack-dev-server@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30359 is a vulnerability in webpack-dev-server that allows attackers to inject scripts and potentially steal source code through prototype pollution.
You are affected if you are using webpack-dev-server versions prior to 5.2.1 and your development environment is accessible to untrusted networks.
Upgrade to webpack-dev-server version 5.2.1 or later. Alternatively, implement stricter origin policy checks in your webpack configuration.
While no active exploitation campaigns have been confirmed, the vulnerability is publicly known and a PoC exists, making it a potential target.
Refer to the webpack project's official website and security advisories for the latest information and updates regarding CVE-2025-30359.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.