webpack 5.59.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the webpack package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Server-side Request Forgery (SSRF) Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `HttpUriPlugin` component when HTTP redirects are followed without re-validating the allowed URIs. An attacker can cause unauthorized network requests to internal services and inclusion of untrusted content in build outputs by manipulating import URLs to trigger redirects outside the intended allow-list. Note: This is only exploitable if `experiments.buildHttp` is enabled. How to fix Server-side Request Forgery (SSRF)? Upgrade `webpack` to version 5.104.0 or higher.	>=5.49.0 <5.104.0
L Server-side Request Forgery (SSRF) Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `HttpUriPlugin` component. An attacker can cause unauthorized outbound requests to internal or otherwise restricted endpoints and include untrusted content in build outputs by crafting URLs with userinfo components that bypass allow-list validation. Note: This is only exploitable if `experiments.buildHttp` is enabled. How to fix Server-side Request Forgery (SSRF)? Upgrade `webpack` to version 5.104.1 or higher.	>=5.49.0 <5.104.1
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via DOM clobbering in the `AutoPublicPathRuntimeModule` class. Non-script HTML elements with unsanitized attributes such as `name` and `id` can be leveraged to execute code in the victim's browser. An attacker who can control such elements on a page that includes Webpack-generated files, can cause subsequent scripts to be loaded from a malicious domain. How to fix Cross-site Scripting (XSS)? Upgrade `webpack` to version 5.94.0 or higher.	<5.94.0
H Sandbox Bypass Affected versions of this package are vulnerable to Sandbox Bypass when `ImportParserPlugin.js` mishandles magic comments to allow cross-realm object access. An attacker who controls a property of an untrusted object can access the real global object. How to fix Sandbox Bypass? Upgrade `webpack` to version 5.76.0 or higher.	>=5.0.0-alpha.0 <5.76.0

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the HttpUriPlugin component when HTTP redirects are followed without re-validating the allowed URIs. An attacker can cause unauthorized network requests to internal services and inclusion of untrusted content in build outputs by manipulating import URLs to trigger redirects outside the intended allow-list.

Note:

This is only exploitable if experiments.buildHttp is enabled.

How to fix Server-side Request Forgery (SSRF)?

Upgrade webpack to version 5.104.0 or higher.

>=5.49.0 <5.104.0

Server-side Request Forgery (SSRF)

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the HttpUriPlugin component. An attacker can cause unauthorized outbound requests to internal or otherwise restricted endpoints and include untrusted content in build outputs by crafting URLs with userinfo components that bypass allow-list validation.

Note:

This is only exploitable if experiments.buildHttp is enabled.

How to fix Server-side Request Forgery (SSRF)?

Upgrade webpack to version 5.104.1 or higher.

>=5.49.0 <5.104.1

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via DOM clobbering in the AutoPublicPathRuntimeModule class. Non-script HTML elements with unsanitized attributes such as name and id can be leveraged to execute code in the victim's browser. An attacker who can control such elements on a page that includes Webpack-generated files, can cause subsequent scripts to be loaded from a malicious domain.

How to fix Cross-site Scripting (XSS)?

Upgrade webpack to version 5.94.0 or higher.

<5.94.0

Sandbox Bypass

Affected versions of this package are vulnerable to Sandbox Bypass when ImportParserPlugin.js mishandles magic comments to allow cross-realm object access. An attacker who controls a property of an untrusted object can access the real global object.

How to fix Sandbox Bypass?

Upgrade webpack to version 5.76.0 or higher.

>=5.0.0-alpha.0 <5.76.0

webpack@5.59.0 vulnerabilities

Packs ECMAScript/CommonJs/AMD modules for the browser. Allows you to split your codebase into multiple bundles, which can be loaded on demand. Supports loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically