CVE-2020-15262: Insufficient Verification of Data Authenticity

October 19, 2020 (updated November 18, 2021)

In webpack-subresource-integrity, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-level chunks are unaffected.

References

nvd.nist.gov/vuln/detail/CVE-2020-15262

Code Behaviors & Features

Detect and mitigate CVE-2020-15262 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →