CVE-2023-28154 — Cross-realm object access in Webpack 5

Description

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

How to fix CVE-2023-28154

To remediate CVE-2023-28154, upgrade the affected package to a fixed version below.

Debian/node-webpack—upgrade to 4.43.0-6+deb11u1 or later
—upgrade to 5.76.0 or later

Is CVE-2023-28154 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.43.0-6+deb11u1
>= 5.0.0, < 5.76.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-28154
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-28154
WEBgithub.com/webpack/webpack/compare/v5.75.0...v5.76.0
WEBgithub.com/webpack/webpack/pull/16500