View all vulnerabilities

CVE-2023-28154

Cross-realm object access in Webpack 5

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
9.8
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Versions
webpack >= 5.0.0 < 5.76.0
Severity
Ecosystem
JavaScript
Publish Date
March 12, 2023
Modified Date
November 7, 2023