CVE-2025-30359: 
JavaScript vulnerability analysis and mitigation

webpack-dev-server, prior to version 5.2.1, contains a security vulnerability (CVE-2025-30359) that could allow attackers to steal source code when users access a malicious website. The vulnerability was discovered and disclosed on June 3, 2025, affecting all versions up to and including 5.2.0 (GitHub Advisory).

The vulnerability stems from the way webpack-dev-server handles script requests. Because requests for classic scripts via script tags are not subject to same-origin policy, attackers can inject and execute scripts from their malicious sites. When combined with prototype pollution, attackers can gain access to webpack runtime variables. Using Function::toString against values in webpack_modules, they can extract the source code. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating network attack vector with high complexity, no privileges required, and user interaction required (GitHub Advisory).

The vulnerability can result in source code theft for users who utilize predictable ports and output paths for their entrypoint scripts. This exposure could lead to intellectual property theft and potentially reveal sensitive implementation details or security measures within the source code (GitHub Advisory).

The vulnerability has been patched in webpack-dev-server version 5.2.1. Users are strongly advised to upgrade to this version or later to protect against potential source code theft. The fix includes changes to how the server handles requests with IP addresses in Origin headers (GitHub Commit).