CVE-2025-30359

{"id": "CVE-2025-30359", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.6}]}, "published": "2025-06-03T18:15:25.243", "references": [{"url": "https://github.com/webpack/webpack-dev-server/commit/d2575ad8dfed9207ed810b5ea0ccf465115a2239", "source": "security-advisories@github.com"}, {"url": "https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-749"}]}], "descriptions": [{"lang": "en", "value": "webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code. Version 5.2.1 contains a patch for the issue."}, {"lang": "es", "value": "webpack-dev-server permite a los usuarios usar webpack con un servidor de desarrollo que permite la recarga en tiempo real. Antes de la versi\u00f3n 5.2.1, el c\u00f3digo fuente de los usuarios de webpack-dev-server pod\u00eda ser robado al acceder a un sitio web malicioso. Dado que la solicitud de un script cl\u00e1sico mediante una etiqueta de script no est\u00e1 sujeta a la pol\u00edtica del mismo origen, un atacante puede inyectar un script malicioso en su sitio y ejecutarlo. Tenga en cuenta que el atacante debe conocer el puerto y la ruta del script del punto de entrada de salida. Combinando la contaminaci\u00f3n del prototipo, el atacante puede obtener una referencia a las variables de tiempo de ejecuci\u00f3n de webpack. Al usar `Function::toString` con los valores de `__webpack_modules__`, el atacante puede obtener el c\u00f3digo fuente. La versi\u00f3n 5.2.1 incluye un parche para este problema."}], "lastModified": "2025-06-04T14:54:33.783", "sourceIdentifier": "security-advisories@github.com"}