CVE-2024-43788Cross-site Scripting in Webpack

CWE-79Cross-site ScriptingCWE-862Missing Authorization15 documents7 sources
Severity
6.1MEDIUMNVD
EPSS
1.8%
top 17.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
10
Webpack.js WebpackDebian Node-webpackAstro+7 more
Timeline
PublishedAug 27
Latest updateJan 23

Description

Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name`

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages11 packages

npmwebpack/webpack5.0.0-alpha.05.94.0
NVDwebpack.js/webpack< 5.94.0
debiandebian/node-webpack< node-webpack 5.94.0+dfsg1+~cs11.18.26-2 (forky)
CVEListV5webpack/webpack>= 5.0.0-alpha.0, < 5.94.0
npmastro/astro3.0.04.16.1

Patches

Patch: github.com

🔴Vulnerability Details

10
GHSA
Liferay Portal's Organization Selector exposes organization data to remote authenticated users2025-09-12
GHSA
DOM Clobbering Gadget found in astro's client-side router that leads to XSS2024-10-14
OSV
DOM Clobbering Gadget found in astro's client-side router that leads to XSS2024-10-14
OSV
Layui has DOM Clobbering gadgets that leads to Cross-site Scripting2024-09-26
GHSA
Layui has DOM Clobbering gadgets that leads to Cross-site Scripting2024-09-26

📋Vendor Advisories

3
Red Hat
webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule2024-08-27
Microsoft
DOM Clobbering Gadget found in Webpack's AutoPublicPathRuntimeModule that leads to Cross-site Scripting (XSS)2024-08-13
Debian
CVE-2024-43788: node-webpack - Webpack is a module bundler. Its main purpose is to bundle JavaScript files for ...2024

📄Research Papers

1
arXiv
Insecure Ingredients? Exploring Dependency Update Patterns of Bundled JavaScript Packages on the Web2026-01-23