CVE-2023-28154

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

References

Affected packages

Git / github.com/webpack/webpack

Affected ranges

Type: GIT
Repo: https://github.com/webpack/webpack
Events: Introduced

610f36817af1f1c6929786d68f734ac582af1757

Fixed

97b1718720c33f1b17302a74c5284b01e02ec001

Affected versions

v5.*

v5.0.0

v5.1.0

v5.1.1

v5.1.2

v5.1.3

v5.10.0

v5.10.1

v5.10.2

v5.10.3

v5.11.0

v5.11.1

v5.12.0

v5.12.1

v5.12.2

v5.12.3

v5.13.0

v5.14.0

v5.15.0

v5.16.0

v5.17.0

v5.18.0

v5.19.0

v5.2.0

v5.2.1

v5.20.0

v5.20.1

v5.20.2

v5.21.0

v5.21.2

v5.22.0

v5.23.0

v5.24.0

v5.24.1

v5.24.2

v5.24.3

v5.24.4

v5.25.0

v5.25.1

v5.26.0

v5.26.1

v5.26.2

v5.26.3

v5.27.0

v5.27.1

v5.27.2

v5.28.0

v5.29.0

v5.3.0

v5.3.1

v5.3.2

v5.30.0

v5.31.0

v5.31.1

v5.31.2

v5.32.0

v5.33.0

v5.33.1

v5.33.2

v5.34.0

v5.35.0

v5.35.1

v5.36.0

v5.36.1

v5.36.2

v5.37.0

v5.37.1

v5.38.0

v5.38.1

v5.39.0

v5.39.1

v5.4.0

v5.40.0

v5.41.0

v5.41.1

v5.42.0

v5.42.1

v5.43.0

v5.44.0

v5.45.0

v5.45.1

v5.46.0

v5.47.0

v5.47.1

v5.48.0

v5.49.0

v5.5.0

v5.5.1

v5.50.0

v5.51.0

v5.51.1

v5.51.2

v5.52.0

v5.52.1

v5.53.0

v5.54.0

v5.55.0

v5.55.1

v5.56.0

v5.56.1

v5.57.0

v5.57.1

v5.58.0

v5.58.1

v5.58.2

v5.59.0

v5.59.1

v5.6.0

v5.60.0

v5.61.0

v5.62.0

v5.62.1

v5.62.2

v5.63.0

v5.64.0

v5.64.1

v5.64.2

v5.64.3

v5.64.4

v5.65.0

v5.66.0

v5.67.0

v5.68.0

v5.69.0

v5.69.1

v5.7.0

v5.70.0

v5.71.0

v5.72.0

v5.72.1

v5.73.0

v5.74.0

v5.75.0

v5.8.0

v5.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28154.json"