Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-30359

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-03 Jun, 2025 | 17:39
Updated At-03 Jun, 2025 | 17:50
Rejected At-
Credits

webpack-dev-server users' source code may be stolen when they access a malicious web site

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code. Version 5.2.1 contains a patch for the issue.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:03 Jun, 2025 | 17:39
Updated At:03 Jun, 2025 | 17:50
Rejected At:
▼CVE Numbering Authority (CNA)
webpack-dev-server users' source code may be stolen when they access a malicious web site

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code. Version 5.2.1 contains a patch for the issue.

Affected Products
Vendor
Webpack (OpenJS Foundation)webpack
Product
webpack-dev-server
Versions
Affected
  • < 5.2.1
Problem Types
TypeCWE IDDescription
CWECWE-749CWE-749: Exposed Dangerous Method or Function
Type: CWE
CWE ID: CWE-749
Description: CWE-749: Exposed Dangerous Method or Function
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v
x_refsource_CONFIRM
https://github.com/webpack/webpack-dev-server/commit/d2575ad8dfed9207ed810b5ea0ccf465115a2239
x_refsource_MISC
Hyperlink: https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/webpack/webpack-dev-server/commit/d2575ad8dfed9207ed810b5ea0ccf465115a2239
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:03 Jun, 2025 | 18:15
Updated At:03 Oct, 2025 | 01:12

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code. Version 5.2.1 contains a patch for the issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary3.15.9MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches

Webpack (OpenJS Foundation)
webpack.js
>>webpack-dev-server>>Versions before 5.2.1(exclusive)
cpe:2.3:a:webpack.js:webpack-dev-server:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-749Primarysecurity-advisories@github.com
CWE ID: CWE-749
Type: Primary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/webpack/webpack-dev-server/commit/d2575ad8dfed9207ed810b5ea0ccf465115a2239security-advisories@github.com
Patch
https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2vsecurity-advisories@github.com
Exploit
Vendor Advisory
Hyperlink: https://github.com/webpack/webpack-dev-server/commit/d2575ad8dfed9207ed810b5ea0ccf465115a2239
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

2Records found

CVE-2026-6402
Matching Score-10
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
ShareView Details
Matching Score-10
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 11.99%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 07:45
Updated-18 May, 2026 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins

webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins, allowing a malicious site to load the bundled source as a script and read it across origins. Impact: an attacker controlling a website visited by a developer running webpack-dev-server can recover the application source code when the dev server runs over HTTP at a guessable host and port. Chromium based browsers from Chrome 142 onward are not affected due to local network access restrictions. Upgrade to webpack-dev-server 5.2.4 or later, which sets Cross-Origin-Resource-Policy: same-origin on responses.

Action-Not Available
Vendor-webpack-dev-serverWebpack (OpenJS Foundation)
Product-webpack-dev-serverwebpack-dev-server
CWE ID-CWE-749
Exposed Dangerous Method or Function
CVE-2025-24361
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.36%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 00:53
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Opening a malicious website while running a Nuxt dev server could allow read-only access to code

Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue.

Action-Not Available
Vendor-nuxt
Product-nuxt
CWE ID-CWE-749
Exposed Dangerous Method or Function
Details not found