Critical severityNVD Advisory· Published Mar 13, 2023· Updated Feb 27, 2025
CVE-2023-28154
CVE-2023-28154
Description
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
webpacknpm | >= 5.0.0, < 5.76.0 | 5.76.0 |
Affected products
7- ghsa-coords6 versionspkg:npm/webpackpkg:rpm/almalinux/pcspkg:rpm/almalinux/pcs-snmppkg:rpm/opensuse/agama-web-ui&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cockpit-agama&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cockpit-d-installer&distro=openSUSE%20Tumbleweed
>= 5.0.0, < 5.76.0+ 5 more
- (no CPE)range: >= 5.0.0, < 5.76.0
- (no CPE)range: < 0.11.3-4.el9_1.3
- (no CPE)range: < 0.11.3-4.el9_1.3
- (no CPE)range: < 9+52-1.1
- (no CPE)range: < 2.1+0-1.1
- (no CPE)range: < 0.8.1~1-5.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-hc6q-2mpp-qw7jghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2023-28154ghsaADVISORY
- github.com/webpack/webpack/compare/v5.75.0...v5.76.0ghsaWEB
- github.com/webpack/webpack/pull/16500ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5GghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2DghsaWEB
News mentions
0No linked articles in our index yet.