平台
nodejs
组件
webpack-dev-server
修复版本
5.2.2
5.2.1
CVE-2025-30359 is a prototype pollution vulnerability discovered in webpack-dev-server. This flaw allows an attacker to potentially extract source code from the server by injecting malicious scripts. The vulnerability impacts versions prior to 5.2.1 and can be mitigated by upgrading to the patched version or implementing robust origin policy controls.
The primary impact of CVE-2025-30359 is the potential exposure of source code. An attacker can inject a <script> tag into a malicious website, pointing to the webpack-dev-server's output. By leveraging prototype pollution, they can then access webpack runtime variables and, using Function::toString, extract the source code of the application. This could expose sensitive information, intellectual property, and potentially reveal vulnerabilities within the codebase itself. The blast radius is limited to applications using webpack-dev-server in development environments, but the exposure of source code can have significant consequences.
This vulnerability is publicly known and a proof-of-concept (PoC) exists. While no active exploitation campaigns have been confirmed, the ease of exploitation and the potential for source code exposure make it a concerning issue. The vulnerability was disclosed on 2025-06-04. It is not currently listed on CISA KEV.
Development teams using webpack-dev-server in their development workflows are at risk. This includes projects utilizing Node.js and JavaScript frameworks like React, Angular, or Vue.js. Shared hosting environments where webpack-dev-server might be accessible from external networks are particularly vulnerable.
• nodejs: Monitor process arguments for suspicious script tags or unusual webpack configurations. Use ps aux | grep webpack-dev-server to identify running instances and inspect their command-line arguments.
• generic web: Inspect HTTP requests for <script src="http://localhost:8080/main.js"> or similar patterns. Examine access logs for unusual requests to webpack-dev-server endpoints.
curl -I http://your-webpack-dev-server/main.js | grep -i content-typedisclosure
漏洞利用状态
EPSS
0.17% (38% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation for CVE-2025-30359 is to upgrade to webpack-dev-server version 5.2.1 or later, which includes a fix for this vulnerability. If upgrading is not immediately feasible, consider implementing stricter origin policy checks within your webpack configuration to prevent the injection of external scripts. Additionally, review your development environment security practices to ensure that webpack-dev-server is not exposed to untrusted networks. After upgrading, confirm the fix by attempting to inject a malicious script tag and verifying that the server does not expose source code.
Actualice webpack-dev-server a la versión 5.2.1 o superior. Esto corrige la vulnerabilidad que permite el robo de código fuente. Ejecute `npm install webpack-dev-server@latest` o `yarn add webpack-dev-server@latest` para actualizar.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-30359 is a vulnerability in webpack-dev-server that allows attackers to inject scripts and potentially steal source code through prototype pollution.
You are affected if you are using webpack-dev-server versions prior to 5.2.1 and your development environment is accessible to untrusted networks.
Upgrade to webpack-dev-server version 5.2.1 or later. Alternatively, implement stricter origin policy checks in your webpack configuration.
While no active exploitation campaigns have been confirmed, the vulnerability is publicly known and a PoC exists, making it a potential target.
Refer to the webpack project's official website and security advisories for the latest information and updates regarding CVE-2025-30359.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。