webpack

npm4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting webpackpage 1 of 1

CVE-2023-28154CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.76.0
2023-03-13
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
CVE-2024-43788MEDIUMCVSS 6.4EG 6.4✓ Fixed in 5.94.0
2024-08-27
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a D…
CVE-2025-68157LOWCVSS 3.7EG 3.7✓ Fixed in 5.104.0
2026-02-05
Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris aft…
CVE-2025-68458LOWCVSS 3.7EG 3.7✓ Fixed in 5.104.1
2026-02-05
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs…

Check whether webpack is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for webpack CVEs against the assets you own.

Start Free Scan →