CVE-2025-30359

Name of the Vulnerable Software and Affected Versions webpack-dev-server versions prior to 5.2.1

Description The issue allows an attacker to steal users' source code when they access a malicious website. This is possible because the request for a classic script by a script tag is not subject to the same origin policy, enabling an attacker to inject a malicious script and run it. The attacker must know the port and the output entrypoint script path. By combining this with prototype pollution, the attacker can get a reference to the webpack runtime variables. Using Function::toString against the values in webpack modules allows the attacker to obtain the source code.

Recommendations For versions prior to 5.2.1, update to version 5.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the development server to minimize the risk of exploitation. Avoid using the webpack modules variable in sensitive contexts until the issue is resolved.