CVE-2023-28154: Cross-realm object access in Webpack 5

March 13, 2023 (updated November 7, 2023)

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

References

github.com/advisories/GHSA-hc6q-2mpp-qw7j
github.com/webpack/webpack/compare/v5.75.0...v5.76.0
github.com/webpack/webpack/pull/16500
nvd.nist.gov/vuln/detail/CVE-2023-28154

Code Behaviors & Features

Detect and mitigate CVE-2023-28154 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →