GHSA-84jw-g43v-8gjm: 
JavaScript vulnerability analysis and mitigation

A DOM Clobbering vulnerability was discovered in Rspack's AutoPublicPathRuntimeModule (GHSA-84jw-g43v-8gjm, CVE-2024-43788) affecting versions < 1.0.0-rc.1. The vulnerability was found in the automatic public path resolution mechanism when the output.publicPath configuration is not set or is set to 'auto'. This moderate severity vulnerability (CVSS score 6.4) was disclosed on September 19, 2024, and affects the npm package @rspack/core (GitHub Advisory).

The vulnerability exists in the AutoPublicPathRuntimeModule where the document.currentScript lookup can be shadowed by an attacker-controlled HTML element. When the publicPath is set to 'auto' or not set, the generated bundle code attempts to dynamically resolve and load additional JavaScript files. An attacker can exploit this by inserting an img tag with a name attribute set to currentScript, causing the src attribute of the attacker-controlled element to be used as the scriptUrl and assigned to webpack_require.p. This vulnerability has been assigned a CVSS v3.1 score of 6.4 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H) (GitHub Advisory).

The vulnerability can lead to cross-site scripting (XSS) attacks on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. If exploited, it could result in arbitrary script loading from an attacker's server, potentially leading to severe security risks. The vulnerability has been confirmed to have real-world exploitation potential in the Canvas LMS (GitHub Advisory).

The vulnerability has been patched in version 1.0.0-rc.1 of @rspack/core. The fix involves adding a check for the currentScript's tagName to ensure it is actually a SCRIPT element, similar to the approach used in the Google Closure project. Users should upgrade to the patched version to prevent potential exploitation (GitHub Advisory).