{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T18:19:43.349","vulnerabilities":[{"cve":{"id":"CVE-2025-30359","sourceIdentifier":"security-advisories@github.com","published":"2025-06-03T18:15:25.243","lastModified":"2025-10-03T01:12:23.030","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code. Version 5.2.1 contains a patch for the issue."},{"lang":"es","value":"webpack-dev-server permite a los usuarios usar webpack con un servidor de desarrollo que permite la recarga en tiempo real. Antes de la versión 5.2.1, el código fuente de los usuarios de webpack-dev-server podía ser robado al acceder a un sitio web malicioso. Dado que la solicitud de un script clásico mediante una etiqueta de script no está sujeta a la política del mismo origen, un atacante puede inyectar un script malicioso en su sitio y ejecutarlo. Tenga en cuenta que el atacante debe conocer el puerto y la ruta del script del punto de entrada de salida. Combinando la contaminación del prototipo, el atacante puede obtener una referencia a las variables de tiempo de ejecución de webpack. Al usar `Function::toString` con los valores de `__webpack_modules__`, el atacante puede obtener el código fuente. La versión 5.2.1 incluye un parche para este problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-749"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:webpack.js:webpack-dev-server:*:*:*:*:*:*:*:*","versionEndExcluding":"5.2.1","matchCriteriaId":"16C3C1AC-AB15-456C-831A-A7F07FE7B88C"}]}]}],"references":[{"url":"https://github.com/webpack/webpack-dev-server/commit/d2575ad8dfed9207ed810b5ea0ccf465115a2239","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}