Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via DOM clobbering in the `AutoPublicPathRuntimeModule` class. Non-script HTML elements with unsanitized attributes such as `name` and `id` can be leveraged to execute code in the victim's browser. An attacker who can control such elements on a page that includes Webpack-generated files, can cause subsequent scripts to be loaded from a malicious domain. How to fix Cross-site Scripting (XSS)? Upgrade `webpack` to version 5.94.0 or higher.	<5.94.0
H Sandbox Bypass Affected versions of this package are vulnerable to Sandbox Bypass when `ImportParserPlugin.js` mishandles magic comments to allow cross-realm object access. An attacker who controls a property of an untrusted object can access the real global object. How to fix Sandbox Bypass? Upgrade `webpack` to version 5.76.0 or higher.	>=5.0.0-alpha.0 <5.76.0

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via DOM clobbering in the AutoPublicPathRuntimeModule class. Non-script HTML elements with unsanitized attributes such as name and id can be leveraged to execute code in the victim's browser. An attacker who can control such elements on a page that includes Webpack-generated files, can cause subsequent scripts to be loaded from a malicious domain.

How to fix Cross-site Scripting (XSS)?

Upgrade webpack to version 5.94.0 or higher.

<5.94.0

Sandbox Bypass

Affected versions of this package are vulnerable to Sandbox Bypass when ImportParserPlugin.js mishandles magic comments to allow cross-realm object access. An attacker who controls a property of an untrusted object can access the real global object.

How to fix Sandbox Bypass?

Upgrade webpack to version 5.76.0 or higher.

>=5.0.0-alpha.0 <5.76.0

Go back to all versions of this package