プラットフォーム
nodejs
コンポーネント
webpack-dev-server
修正版
5.2.2
5.2.1
CVE-2025-30359 is a prototype pollution vulnerability discovered in webpack-dev-server. This flaw allows an attacker to potentially extract source code from the server by injecting malicious scripts. The vulnerability impacts versions prior to 5.2.1 and can be mitigated by upgrading to the patched version or implementing robust origin policy controls.
The primary impact of CVE-2025-30359 is the potential exposure of source code. An attacker can inject a <script> tag into a malicious website, pointing to the webpack-dev-server's output. By leveraging prototype pollution, they can then access webpack runtime variables and, using Function::toString, extract the source code of the application. This could expose sensitive information, intellectual property, and potentially reveal vulnerabilities within the codebase itself. The blast radius is limited to applications using webpack-dev-server in development environments, but the exposure of source code can have significant consequences.
This vulnerability is publicly known and a proof-of-concept (PoC) exists. While no active exploitation campaigns have been confirmed, the ease of exploitation and the potential for source code exposure make it a concerning issue. The vulnerability was disclosed on 2025-06-04. It is not currently listed on CISA KEV.
Development teams using webpack-dev-server in their development workflows are at risk. This includes projects utilizing Node.js and JavaScript frameworks like React, Angular, or Vue.js. Shared hosting environments where webpack-dev-server might be accessible from external networks are particularly vulnerable.
• nodejs: Monitor process arguments for suspicious script tags or unusual webpack configurations. Use ps aux | grep webpack-dev-server to identify running instances and inspect their command-line arguments.
• generic web: Inspect HTTP requests for <script src="http://localhost:8080/main.js"> or similar patterns. Examine access logs for unusual requests to webpack-dev-server endpoints.
curl -I http://your-webpack-dev-server/main.js | grep -i content-typedisclosure
エクスプロイト状況
EPSS
0.17% (38% パーセンタイル)
CISA SSVC
CVSS ベクトル
The recommended mitigation for CVE-2025-30359 is to upgrade to webpack-dev-server version 5.2.1 or later, which includes a fix for this vulnerability. If upgrading is not immediately feasible, consider implementing stricter origin policy checks within your webpack configuration to prevent the injection of external scripts. Additionally, review your development environment security practices to ensure that webpack-dev-server is not exposed to untrusted networks. After upgrading, confirm the fix by attempting to inject a malicious script tag and verifying that the server does not expose source code.
Actualice webpack-dev-server a la versión 5.2.1 o superior. Esto corrige la vulnerabilidad que permite el robo de código fuente. Ejecute `npm install webpack-dev-server@latest` o `yarn add webpack-dev-server@latest` para actualizar.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-30359 is a vulnerability in webpack-dev-server that allows attackers to inject scripts and potentially steal source code through prototype pollution.
You are affected if you are using webpack-dev-server versions prior to 5.2.1 and your development environment is accessible to untrusted networks.
Upgrade to webpack-dev-server version 5.2.1 or later. Alternatively, implement stricter origin policy checks in your webpack configuration.
While no active exploitation campaigns have been confirmed, the vulnerability is publicly known and a PoC exists, making it a potential target.
Refer to the webpack project's official website and security advisories for the latest information and updates regarding CVE-2025-30359.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。