{"url":"http://public2.vulnerablecode.io/api/packages/618508?format=json","purl":"pkg:npm/webpack@5.60.0","type":"npm","namespace":"","name":"webpack","version":"5.60.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.104.1","latest_non_vulnerable_version":"5.104.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93410?format=json","vulnerability_id":"VCID-g7uq-bwu2-5fhb","summary":"Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68458.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68458.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68458","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02457","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02448","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02456","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02454","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68458"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68458","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68458"},{"reference_url":"https://github.com/webpack/webpack","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/webpack/webpack"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127322","reference_id":"1127322","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127322"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2437209","reference_id":"2437209","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2437209"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68458","reference_id":"CVE-2025-68458","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68458"},{"reference_url":"https://github.com/advisories/GHSA-8fgc-7cc6-rx7x","reference_id":"GHSA-8fgc-7cc6-rx7x","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8fgc-7cc6-rx7x"},{"reference_url":"https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x","reference_id":"GHSA-8fgc-7cc6-rx7x","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-06T20:26:49Z/"}],"url":"https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38791?format=json","purl":"pkg:npm/webpack@5.104.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/webpack@5.104.1"}],"aliases":["CVE-2025-68458","GHSA-8fgc-7cc6-rx7x"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g7uq-bwu2-5fhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93439?format=json","vulnerability_id":"VCID-nj17-xu5h-qkbq","summary":"Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68157.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68157.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68157","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02456","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02457","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02448","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02454","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68157"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68157","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68157"},{"reference_url":"https://github.com/webpack/webpack","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/webpack/webpack"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127322","reference_id":"1127322","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127322"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2437210","reference_id":"2437210","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2437210"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68157","reference_id":"CVE-2025-68157","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68157"},{"reference_url":"https://github.com/advisories/GHSA-38r7-794h-5758","reference_id":"GHSA-38r7-794h-5758","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-38r7-794h-5758"},{"reference_url":"https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758","reference_id":"GHSA-38r7-794h-5758","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-06T19:29:04Z/"}],"url":"https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38789?format=json","purl":"pkg:npm/webpack@5.104.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g7uq-bwu2-5fhb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/webpack@5.104.0"}],"aliases":["CVE-2025-68157","GHSA-38r7-794h-5758"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nj17-xu5h-qkbq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15313?format=json","vulnerability_id":"VCID-s194-kder-qyfy","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28154.json","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28154.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28154","reference_id":"","reference_type":"","scores":[{"value":"0.01303","scoring_system":"epss","scoring_elements":"0.80171","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01303","scoring_system":"epss","scoring_elements":"0.80241","published_at":"2026-06-14T12:55:00Z"},{"value":"0.01303","scoring_system":"epss","scoring_elements":"0.80249","published_at":"2026-06-13T12:55:00Z"},{"value":"0.01303","scoring_system":"epss","scoring_elements":"0.80233","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28154"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28154"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28154","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28154"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032904","reference_id":"1032904","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032904"},{"reference_url":"https://github.com/webpack/webpack/pull/16500","reference_id":"16500","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-27T19:54:27Z/"}],"url":"https://github.com/webpack/webpack/pull/16500"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179227","reference_id":"2179227","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179227"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G/","reference_id":"AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-27T19:54:27Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G/"},{"reference_url":"https://github.com/advisories/GHSA-hc6q-2mpp-qw7j","reference_id":"GHSA-hc6q-2mpp-qw7j","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hc6q-2mpp-qw7j"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3/","reference_id":"PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-27T19:54:27Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1591","reference_id":"RHSA-2023:1591","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1591"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D/","reference_id":"U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-27T19:54:27Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D/"},{"reference_url":"https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0","reference_id":"v5.75.0...v5.76.0","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-27T19:54:27Z/"}],"url":"https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381008?format=json","purl":"pkg:npm/webpack@5.76.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g7uq-bwu2-5fhb"},{"vulnerability":"VCID-nj17-xu5h-qkbq"},{"vulnerability":"VCID-u3nt-bamm-v3d3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/webpack@5.76.0"}],"aliases":["CVE-2023-28154","GHSA-hc6q-2mpp-qw7j"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s194-kder-qyfy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/20293?format=json","vulnerability_id":"VCID-u3nt-bamm-v3d3","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-43788.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-43788.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-43788","reference_id":"","reference_type":"","scores":[{"value":"0.0152","scoring_system":"epss","scoring_elements":"0.81644","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0152","scoring_system":"epss","scoring_elements":"0.81705","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0152","scoring_system":"epss","scoring_elements":"0.81713","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0152","scoring_system":"epss","scoring_elements":"0.81704","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-43788"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43788","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43788"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/webpack/webpack","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/webpack/webpack"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081906","reference_id":"1081906","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081906"},{"reference_url":"https://github.com/webpack/webpack/issues/18718#issuecomment-2326296270","reference_id":"18718#issuecomment-2326296270","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T18:09:32Z/"}],"url":"https://github.com/webpack/webpack/issues/18718#issuecomment-2326296270"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308193","reference_id":"2308193","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308193"},{"reference_url":"https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61","reference_id":"955e057abc6cc83cbc3fa1e1ef67a49758bf5a61","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T18:09:32Z/"}],"url":"https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43788","reference_id":"CVE-2024-43788","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43788"},{"reference_url":"https://github.com/advisories/GHSA-4vvj-4cpr-p986","reference_id":"GHSA-4vvj-4cpr-p986","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4vvj-4cpr-p986"},{"reference_url":"https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986","reference_id":"GHSA-4vvj-4cpr-p986","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T18:09:32Z/"}],"url":"https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10214","reference_id":"RHSA-2024:10214","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10214"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10906","reference_id":"RHSA-2024:10906","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10906"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7706","reference_id":"RHSA-2024:7706","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7706"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7724","reference_id":"RHSA-2024:7724","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7724"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7725","reference_id":"RHSA-2024:7725","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7725"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7726","reference_id":"RHSA-2024:7726","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7726"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8014","reference_id":"RHSA-2024:8014","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8014"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8023","reference_id":"RHSA-2024:8023","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8023"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8113","reference_id":"RHSA-2024:8113","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8113"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8676","reference_id":"RHSA-2024:8676","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8676"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0323","reference_id":"RHSA-2025:0323","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0323"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1249","reference_id":"RHSA-2025:1249","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1249"},{"reference_url":"https://scnps.co/papers/sp23_domclob.pdf","reference_id":"sp23_domclob.pdf","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T18:09:32Z/"}],"url":"https://scnps.co/papers/sp23_domclob.pdf"},{"reference_url":"https://research.securitum.com/xss-in-amp4email-dom-clobbering","reference_id":"xss-in-amp4email-dom-clobbering","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T18:09:32Z/"}],"url":"https://research.securitum.com/xss-in-amp4email-dom-clobbering"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33126?format=json","purl":"pkg:npm/webpack@5.94.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g7uq-bwu2-5fhb"},{"vulnerability":"VCID-nj17-xu5h-qkbq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/webpack@5.94.0"}],"aliases":["CVE-2024-43788","GHSA-4vvj-4cpr-p986"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u3nt-bamm-v3d3"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/webpack@5.60.0"}