Dependency Update: Address webpack-dev-server Source Code Disclosure Vulnerability (CVE-2025-30359) #219
Description
Problem Description
Dependabot has identified a moderate severity vulnerability in webpack-dev-server (npm) via alert #192, titled "webpack-dev-server users' source code may be stolen when they access a malicious web site." The affected versions are <= 5.2.0, and the earliest fixed version is 5.2.1.
This vulnerability (CVE-2025-30359) allows an attacker to potentially steal a user's source code if the user accesses a malicious website while webpack-dev-server is running on a predictable port and with a predictable entrypoint script path. This is possible because requests for classic scripts by a script tag are not subject to the same-origin policy. Combined with prototype pollution, an attacker can gain access to webpack runtime variables and extract source code using Function::toString against webpack_modules.
Dependabot is currently blocked from updating webpack-dev-server to a non-vulnerable version. The latest possible version that can be installed is 4.9.3 due to a conflicting direct dependency:
react-scripts@5.0.0 requires webpack-dev-server@^4.6.0.
Proposed Solution
To mitigate this vulnerability, we need to update webpack-dev-server to version 5.2.1 or newer. Given that react-scripts@5.0.0 is the blocking dependency, the primary approach will be to update react-scripts to a version that either:
No longer depends on the vulnerable webpack-dev-server versions.
Allows for webpack-dev-server@5.2.1 or higher to be resolved.
Action Items
Investigate react-scripts Compatibility: Research the latest versions of react-scripts and their compatibility with webpack-dev-server@5.2.1+. Check their changelogs or dependency trees to see if they've updated their webpack-dev-server dependency or loosened their version constraints.
Update react-scripts: If a compatible version of react-scripts is found, update our react-scripts dependency in packages/auth/yarn.lock (and the corresponding package.json).
Verify webpack-dev-server Version: After updating react-scripts and running yarn install (or npm install), verify that webpack-dev-server resolves to 5.2.1 or newer in the yarn.lock file.
Test Thoroughly: After the update, perform comprehensive testing to ensure no regressions or breaking changes have been introduced, particularly in our development environment and build processes.
Additional Information
Dependabot Alert #192: [Link to Dependabot alert on GitHub if publicly accessible, otherwise remove this line]
CVE ID: CVE-2025-30359
GHSA ID: GHSA-4v9v-hfq4-rm2v
CVSS v3 Base Metrics: 5.3 (Moderate) - AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Impact: Source code disclosure in development environments.