npm/webpack — 4 CVEs

CRITICAL9.8CVE-2023-28154Cross-realm object access in Webpack 5

>= 5.0.0, < 5.76.0

MEDIUM6.4CVE-2024-43788Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS

>= 5.0.0-alpha.0, < 5.94.0

LOW3.7CVE-2025-68458webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior

>= 5.49.0, < 5.104.1

LOW3.7webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence

>= 5.49.0, < 5.104.0

pkg:npm/webpack