Bug 2370072 (CVE-2025-30359)

Summary: CVE-2025-30359 webpack-dev-server: webpack-dev-server information exposure
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, adkhan, anpicker, bdettelb, bparees, caswilli, cdaley, cmah, cmiranda, crizzo, david.sastre, dbosanac, dhanak, doconnor, dranck, drosa, dsimansk, eaguilar, ebaron, eric.wittmann, ggrzybek, gmalinko, gryan, gzaronik, haoli, hasun, hkataria, ibek, jajackso, janstey, jcammara, jchui, jfula, jhe, jhuff, jkoehler, jmitchel, jneedle, jolong, jowilson, jreimann, jrokos, jwendell, jweng, jwong, kaycoth, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lchilton, lphiri, mabashia, matzew, mdessi, mnovotny, mrizzi, mwringe, nboldt, nipatil, nyancey, ometelka, pantinor, parichar, pbizzarr, pbraun, pcattana, pcongius, pdelbell, pjindal, psrna, ptisnovs, rcernich, rkubis, rstepani, sausingh, sfeifer, shvarugh, simaishi, smcdonal, stcannon, syedriko, tasato, teagle, tfister, thavo, ttakamiy, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
An information exposure flaw has been discovered in webpack-dev-server. The request for classic script by a script tag is not subject to the same origin policy, allowing an attacker to inject a malicious script in their site and run the script. The attacker is required to know the port and the output entrypoint script path in order to successfully exploit this vulnerability, but successful exploitation can result in the source code being stolen for users that use a predictable port and output path for the entrypoint script.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2370096, 2370098, 2370100, 2370102, 2370110, 2370112, 2370114, 2370090, 2370092, 2370094, 2370104, 2370106, 2370108, 2370116    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-03 18:01:31 UTC 
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code. Version 5.2.1 contains a patch for the issue.