CVE-2023-28154
CRITICALwebpack 5.0.0-5.75.0 - Prototype Pollution via ImportParserPlugin Magic Comment Handling
Title source: llmDescription
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
References (5)
Core 5
Core References
Patch, Product
https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G/
Scores
CVSS v3
9.8
EPSS
0.0130
EPSS Percentile
80.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
Status
published
Products (2)
npm/webpack
5.0.0 - 5.76.0npm
webpack.js/webpack
5.0.0 - 5.76.0
Published
Mar 13, 2023
Tracked Since
Feb 18, 2026