CVE-2023-28154

Cross-realm object access in Webpack 5 in npm/webpack

Identifiers

CVE-2023-28154, GHSA-hc6q-2mpp-qw7j

Package Slug

npm/webpack

Vulnerability

Cross-realm object access in Webpack 5

Description

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Affected Versions

All versions starting from 5.0.0 before 5.76.0

Solution

Upgrade to version 5.76.0 or above.

Last Modified

2023-03-16

source