CVE-2023-28154

NameCVE-2023-28154
DescriptionWebpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1032904

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-webpack (PTS)buster3.5.6-3.1fixed
bullseye4.43.0-6+deb11u1fixed
bookworm5.75.0+dfsg+~cs17.16.14-1+deb12u1fixed
sid, trixie5.76.1+dfsg2+~cs10.8.15-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-webpacksourcebuster(not affected)
node-webpacksourcebullseye4.43.0-6+deb11u1
node-webpacksourcebookworm5.75.0+dfsg+~cs17.16.14-1+deb12u1
node-webpacksource(unstable)5.76.1+dfsg1+~cs17.16.16-11032904

Notes

[buster] - node-webpack <not-affected> (vulnerable code vm.runInNewContext(`(function(){return {${value}};})()`); is not present. Introduced latter)
https://github.com/webpack/webpack/pull/16500
Merge commit: https://github.com/webpack/webpack/commit/4b4ca3bb53f36a5b8fc6bc1bd976ed7af161bd80 (v5.76.0)
Search for package or bug name: Reporting problems