{"url":"http://public2.vulnerablecode.io/api/packages/119224?format=json","purl":"pkg:deb/debian/node-webpack@5.97.1%2Bdfsg1%2B~cs11.18.27-3?distro=trixie","type":"deb","namespace":"debian","name":"node-webpack","version":"5.97.1+dfsg1+~cs11.18.27-3","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.105.4+dfsg1+~cs15.13.23-2","latest_non_vulnerable_version":"5.106.2+dfsg1+~cs15.15.23-3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50028?format=json","vulnerability_id":"VCID-cg66-ea2t-abdr","summary":"webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior\nWhen `experiments.buildHttp` is enabled, webpack’s HTTP(S) resolver (`HttpUriPlugin`) can be bypassed to fetch resources from **hosts outside `allowedUris`** by using crafted URLs that include **userinfo** (`username:password@host`). If `allowedUris` enforcement relies on a **raw string prefix check** (e.g., `uri.startsWith(allowed)`), a URL that *looks* allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a **policy/allow-list bypass** that enables **build-time SSRF behavior** (outbound requests from the build machine to internal-only endpoints, depending on network access) and **untrusted content inclusion** (the fetched response is treated as module source and bundled). In my reproduction, the internal response was also persisted in the buildHttp cache.\n\nReproduced on:\n- webpack version: **5.104.0**\n- Node version: **v18.19.1**","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68458.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68458.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68458","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.0151","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01517","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0243","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02486","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0247","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68458"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68458","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68458"},{"reference_url":"https://github.com/webpack/webpack","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/webpack/webpack"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127322","reference_id":"1127322","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127322"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2437209","reference_id":"2437209","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2437209"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68458","reference_id":"CVE-2025-68458","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68458"},{"reference_url":"https://github.com/advisories/GHSA-8fgc-7cc6-rx7x","reference_id":"GHSA-8fgc-7cc6-rx7x","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8fgc-7cc6-rx7x"},{"reference_url":"https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x","reference_id":"GHSA-8fgc-7cc6-rx7x","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-06T20:26:49Z/"}],"url":"https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/119226?format=json","purl":"pkg:deb/debian/node-webpack@5.105.4%2Bdfsg1%2B~cs15.13.23-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-webpack@5.105.4%252Bdfsg1%252B~cs15.13.23-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/119222?format=json","purl":"pkg:deb/debian/node-webpack@5.106.2%2Bdfsg1%2B~cs15.15.23-3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-webpack@5.106.2%252Bdfsg1%252B~cs15.15.23-3%3Fdistro=trixie"}],"aliases":["CVE-2025-68458","GHSA-8fgc-7cc6-rx7x"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cg66-ea2t-abdr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50031?format=json","vulnerability_id":"VCID-gz84-uu6f-2ubv","summary":"webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence\nWhen `experiments.buildHttp` is enabled, webpack’s HTTP(S) resolver (`HttpUriPlugin`) enforces `allowedUris` only for the **initial** URL, but **does not re-validate `allowedUris` after following HTTP 30x redirects**. As a result, an import that appears restricted to a trusted allow-list can be redirected to **HTTP(S) URLs outside the allow-list**. This is a **policy/allow-list bypass** that enables **build-time SSRF behavior** (requests from the build machine to internal-only endpoints, depending on network access) and **untrusted content inclusion in build outputs** (redirected content is treated as module source and bundled). In my reproduction, the internal response is also persisted in the buildHttp cache.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68157.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68157.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68157","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.0151","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01517","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0243","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02486","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0247","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68157"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68157","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68157"},{"reference_url":"https://github.com/webpack/webpack","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/webpack/webpack"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127322","reference_id":"1127322","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127322"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2437210","reference_id":"2437210","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2437210"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68157","reference_id":"CVE-2025-68157","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68157"},{"reference_url":"https://github.com/advisories/GHSA-38r7-794h-5758","reference_id":"GHSA-38r7-794h-5758","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-38r7-794h-5758"},{"reference_url":"https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758","reference_id":"GHSA-38r7-794h-5758","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-06T19:29:04Z/"}],"url":"https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/119226?format=json","purl":"pkg:deb/debian/node-webpack@5.105.4%2Bdfsg1%2B~cs15.13.23-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-webpack@5.105.4%252Bdfsg1%252B~cs15.13.23-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/119222?format=json","purl":"pkg:deb/debian/node-webpack@5.106.2%2Bdfsg1%2B~cs15.15.23-3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-webpack@5.106.2%252Bdfsg1%252B~cs15.15.23-3%3Fdistro=trixie"}],"aliases":["CVE-2025-68157","GHSA-38r7-794h-5758"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gz84-uu6f-2ubv"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55739?format=json","vulnerability_id":"VCID-hy2d-zvtz-5kdp","summary":"Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS\nWe discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present.\n\nWe found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-43788.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-43788.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-43788","reference_id":"","reference_type":"","scores":[{"value":"0.0152","scoring_system":"epss","scoring_elements":"0.81607","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0152","scoring_system":"epss","scoring_elements":"0.81592","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0152","scoring_system":"epss","scoring_elements":"0.81601","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0152","scoring_system":"epss","scoring_elements":"0.81599","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-43788"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43788","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43788"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/webpack/webpack","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/webpack/webpack"},{"reference_url":"https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T18:09:32Z/"}],"url":"https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61"},{"reference_url":"https://github.com/webpack/webpack/issues/18718#issuecomment-2326296270","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T18:09:32Z/"}],"url":"https://github.com/webpack/webpack/issues/18718#issuecomment-2326296270"},{"reference_url":"https://research.securitum.com/xss-in-amp4email-dom-clobbering","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T18:09:32Z/"}],"url":"https://research.securitum.com/xss-in-amp4email-dom-clobbering"},{"reference_url":"https://scnps.co/papers/sp23_domclob.pdf","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T18:09:32Z/"}],"url":"https://scnps.co/papers/sp23_domclob.pdf"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081906","reference_id":"1081906","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081906"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308193","reference_id":"2308193","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308193"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43788","reference_id":"CVE-2024-43788","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43788"},{"reference_url":"https://github.com/advisories/GHSA-4vvj-4cpr-p986","reference_id":"GHSA-4vvj-4cpr-p986","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4vvj-4cpr-p986"},{"reference_url":"https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986","reference_id":"GHSA-4vvj-4cpr-p986","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T18:09:32Z/"}],"url":"https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10214","reference_id":"RHSA-2024:10214","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10214"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10906","reference_id":"RHSA-2024:10906","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10906"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7706","reference_id":"RHSA-2024:7706","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7706"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7724","reference_id":"RHSA-2024:7724","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7724"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7725","reference_id":"RHSA-2024:7725","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7725"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7726","reference_id":"RHSA-2024:7726","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7726"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8014","reference_id":"RHSA-2024:8014","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8014"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8023","reference_id":"RHSA-2024:8023","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8023"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8113","reference_id":"RHSA-2024:8113","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8113"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8676","reference_id":"RHSA-2024:8676","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8676"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0323","reference_id":"RHSA-2025:0323","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0323"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/119225?format=json","purl":"pkg:deb/debian/node-webpack@5.94.0%2Bdfsg1%2B~cs11.18.26-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-webpack@5.94.0%252Bdfsg1%252B~cs11.18.26-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/119224?format=json","purl":"pkg:deb/debian/node-webpack@5.97.1%2Bdfsg1%2B~cs11.18.27-3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cg66-ea2t-abdr"},{"vulnerability":"VCID-gz84-uu6f-2ubv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-webpack@5.97.1%252Bdfsg1%252B~cs11.18.27-3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/119222?format=json","purl":"pkg:deb/debian/node-webpack@5.106.2%2Bdfsg1%2B~cs15.15.23-3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-webpack@5.106.2%252Bdfsg1%252B~cs15.15.23-3%3Fdistro=trixie"}],"aliases":["CVE-2024-43788","GHSA-4vvj-4cpr-p986"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hy2d-zvtz-5kdp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44665?format=json","vulnerability_id":"VCID-xf6z-axjf-s7dv","summary":"Cross-realm object access in Webpack 5\nWebpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28154.json","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28154.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28154","reference_id":"","reference_type":"","scores":[{"value":"0.01303","scoring_system":"epss","scoring_elements":"0.80131","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01303","scoring_system":"epss","scoring_elements":"0.8012","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01303","scoring_system":"epss","scoring_elements":"0.80124","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01303","scoring_system":"epss","scoring_elements":"0.80119","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01303","scoring_system":"epss","scoring_elements":"0.80111","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28154"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-27T19:54:27Z/"}],"url":"https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0"},{"reference_url":"https://github.com/webpack/webpack/pull/16500","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-27T19:54:27Z/"}],"url":"https://github.com/webpack/webpack/pull/16500"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032904","reference_id":"1032904","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032904"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179227","reference_id":"2179227","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179227"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G/","reference_id":"AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-27T19:54:27Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28154","reference_id":"CVE-2023-28154","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28154"},{"reference_url":"https://github.com/advisories/GHSA-hc6q-2mpp-qw7j","reference_id":"GHSA-hc6q-2mpp-qw7j","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hc6q-2mpp-qw7j"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3/","reference_id":"PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-27T19:54:27Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1591","reference_id":"RHSA-2023:1591","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1591"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D/","reference_id":"U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-27T19:54:27Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/119221?format=json","purl":"pkg:deb/debian/node-webpack@4.43.0-6%2Bdeb11u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cg66-ea2t-abdr"},{"vulnerability":"VCID-gz84-uu6f-2ubv"},{"vulnerability":"VCID-hy2d-zvtz-5kdp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-webpack@4.43.0-6%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/119220?format=json","purl":"pkg:deb/debian/node-webpack@5.75.0%2Bdfsg%2B~cs17.16.14-1%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cg66-ea2t-abdr"},{"vulnerability":"VCID-gz84-uu6f-2ubv"},{"vulnerability":"VCID-hy2d-zvtz-5kdp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-webpack@5.75.0%252Bdfsg%252B~cs17.16.14-1%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/119223?format=json","purl":"pkg:deb/debian/node-webpack@5.76.1%2Bdfsg1%2B~cs17.16.16-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-webpack@5.76.1%252Bdfsg1%252B~cs17.16.16-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/119224?format=json","purl":"pkg:deb/debian/node-webpack@5.97.1%2Bdfsg1%2B~cs11.18.27-3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cg66-ea2t-abdr"},{"vulnerability":"VCID-gz84-uu6f-2ubv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-webpack@5.97.1%252Bdfsg1%252B~cs11.18.27-3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/119222?format=json","purl":"pkg:deb/debian/node-webpack@5.106.2%2Bdfsg1%2B~cs15.15.23-3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-webpack@5.106.2%252Bdfsg1%252B~cs15.15.23-3%3Fdistro=trixie"}],"aliases":["CVE-2023-28154","GHSA-hc6q-2mpp-qw7j"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xf6z-axjf-s7dv"}],"risk_score":"1.6","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-webpack@5.97.1%252Bdfsg1%252B~cs11.18.27-3%3Fdistro=trixie"}