📂 Vulnerable Library - terser-webpack-plugin-5.3.6.tgz
Terser plugin for webpack
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.75.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2023-28154 |
🟣 Critical |
9.8 |
Not Defined |
1.2% |
webpack-5.75.0.tgz |
Direct |
webpack - 5.76.0 |
✅ |
 Unreachable |
| CVE-2024-43788 |
🟠 Medium |
6.4 |
Not Defined |
1.8% |
webpack-5.75.0.tgz |
Direct |
webpack - 5.94.0 |
✅ |
Unreachable |
| CVE-2026-34043 |
🟠 Medium |
5.9 |
Not Defined |
< 1% |
serialize-javascript-6.0.0.tgz |
Transitive |
N/A |
❌ |
 Reachable |
| CVE-2024-11831 |
🟠 Medium |
5.4 |
Not Defined |
1.1% |
serialize-javascript-6.0.0.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2025-68157 |
🟡 Low |
3.7 |
Not Defined |
< 1% |
webpack-5.75.0.tgz |
Direct |
webpack - 5.104.0 |
✅ |
Unreachable |
| CVE-2025-68458 |
🟡 Low |
3.7 |
Not Defined |
< 1% |
webpack-5.75.0.tgz |
Direct |
webpack - 5.104.1 |
✅ |
Unreachable |
| CVE-2025-69873 |
🟡 Low |
2.9 |
Not Defined |
< 1% |
ajv-6.12.6.tgz |
Transitive |
N/A |
❌ |
Unreachable |
Details
🟣CVE-2023-28154
Vulnerable Library - webpack-5.75.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.75.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
-
terser-webpack-plugin-5.3.6.tgz (Root Library)
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
-
webpackbar-5.0.2.tgz (Root Library)
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
-
mini-css-extract-plugin-2.7.2.tgz (Root Library)
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
-
❌ webpack-5.75.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.7.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Publish Date: Mar 13, 2023 12:00 AM
URL: CVE-2023-28154
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.2%
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin: webpack/webpack#16500
Release Date: Mar 13, 2023 12:00 AM
Fix Resolution : webpack - 5.76.0
🟠CVE-2024-43788
Vulnerable Library - webpack-5.75.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.75.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
-
terser-webpack-plugin-5.3.6.tgz (Root Library)
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
-
webpackbar-5.0.2.tgz (Root Library)
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
-
mini-css-extract-plugin-2.7.2.tgz (Root Library)
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
-
❌ webpack-5.75.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.7.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s "AutoPublicPathRuntimeModule". The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an "img" tag with an unsanitized "name" attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: Aug 27, 2024 05:07 PM
URL: CVE-2024-43788
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.8%
Score: 6.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-4vvj-4cpr-p986
Release Date: Aug 27, 2024 05:07 PM
Fix Resolution : webpack - 5.94.0
🟠CVE-2026-34043
Vulnerable Library - serialize-javascript-6.0.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
- terser-webpack-plugin-5.3.6.tgz (Root Library)
- ❌ serialize-javascript-6.0.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- sw-next-storefront-1.0.0/webpack.config.js (Application)
- terser-webpack-plugin-5.3.6/dist/index.js (Extension)
-> ❌ serialize-javascript-6.0.0/index.js (Vulnerable Component)
Vulnerability Details
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.
Publish Date: Mar 31, 2026 01:48 AM
URL: CVE-2026-34043
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: yahoo/serialize-javascript@f147e90
Release Date: Mar 28, 2026 09:06 AM
Fix Resolution : https://github.com/yahoo/serialize-javascript.git - v7.0.5
🟠CVE-2024-11831
Vulnerable Library - serialize-javascript-6.0.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
- terser-webpack-plugin-5.3.6.tgz (Root Library)
- ❌ serialize-javascript-6.0.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- sw-next-storefront-1.0.0/webpack.config.js (Application)
- terser-webpack-plugin-5.3.6/dist/index.js (Extension)
-> ❌ serialize-javascript-6.0.0/index.js (Vulnerable Component)
Vulnerability Details
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
Publish Date: Feb 10, 2025 03:27 PM
URL: CVE-2024-11831
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.1%
Score: 5.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p7-773f-r4q5
Release Date: Feb 10, 2025 03:27 PM
Fix Resolution : serialize-javascript - 6.0.2
🟡CVE-2025-68157
Vulnerable Library - webpack-5.75.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.75.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
-
terser-webpack-plugin-5.3.6.tgz (Root Library)
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
-
webpackbar-5.0.2.tgz (Root Library)
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
-
mini-css-extract-plugin-2.7.2.tgz (Root Library)
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
-
❌ webpack-5.75.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.7.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.
Publish Date: Feb 05, 2026 11:08 PM
URL: CVE-2025-68157
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 3.7
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-38r7-794h-5758
Release Date: Feb 05, 2026 11:15 PM
Fix Resolution : webpack - 5.104.0
🟡CVE-2025-68458
Vulnerable Library - webpack-5.75.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.75.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
-
terser-webpack-plugin-5.3.6.tgz (Root Library)
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
-
webpackbar-5.0.2.tgz (Root Library)
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
-
mini-css-extract-plugin-2.7.2.tgz (Root Library)
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
-
❌ webpack-5.75.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.7.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.
Publish Date: Feb 05, 2026 11:08 PM
URL: CVE-2025-68458
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 3.7
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-8fgc-7cc6-rx7x
Release Date: Feb 05, 2026 11:15 PM
Fix Resolution : webpack - 5.104.1
🟡CVE-2025-69873
Vulnerable Library - ajv-6.12.6.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
-
terser-webpack-plugin-5.3.6.tgz (Root Library)
- schema-utils-3.1.1.tgz
- ❌ ajv-6.12.6.tgz (Vulnerable Library)
-
webpack-5.75.0.tgz (Root Library)
- schema-utils-3.1.1.tgz
- ❌ ajv-6.12.6.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.7.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- schema-utils-1.0.0.tgz
- ❌ ajv-6.12.6.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.
Publish Date: Feb 11, 2026 12:00 AM
URL: CVE-2025-69873
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 2.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-2g4f-4pwh-qvx6
Release Date: Feb 11, 2026 12:00 AM
Fix Resolution : https://github.com/ajv-validator/ajv.git - v8.18.0,https://github.com/ajv-validator/ajv.git - v6.14.0
📂 Vulnerable Library - terser-webpack-plugin-5.3.6.tgz
Terser plugin for webpack
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.75.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Findings
Details
🟣CVE-2023-28154
Vulnerable Library - webpack-5.75.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.75.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
terser-webpack-plugin-5.3.6.tgz (Root Library)
webpackbar-5.0.2.tgz (Root Library)
mini-css-extract-plugin-2.7.2.tgz (Root Library)
❌ webpack-5.75.0.tgz (Vulnerable Library)
webpack-plugin-injector-1.0.7.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Publish Date: Mar 13, 2023 12:00 AM
URL: CVE-2023-28154
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.2%
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin: webpack/webpack#16500
Release Date: Mar 13, 2023 12:00 AM
Fix Resolution : webpack - 5.76.0
🟠CVE-2024-43788
Vulnerable Library - webpack-5.75.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.75.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
terser-webpack-plugin-5.3.6.tgz (Root Library)
webpackbar-5.0.2.tgz (Root Library)
mini-css-extract-plugin-2.7.2.tgz (Root Library)
❌ webpack-5.75.0.tgz (Vulnerable Library)
webpack-plugin-injector-1.0.7.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s "AutoPublicPathRuntimeModule". The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an "img" tag with an unsanitized "name" attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: Aug 27, 2024 05:07 PM
URL: CVE-2024-43788
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.8%
Score: 6.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-4vvj-4cpr-p986
Release Date: Aug 27, 2024 05:07 PM
Fix Resolution : webpack - 5.94.0
🟠CVE-2026-34043
Vulnerable Library - serialize-javascript-6.0.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.
Publish Date: Mar 31, 2026 01:48 AM
URL: CVE-2026-34043
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: yahoo/serialize-javascript@f147e90
Release Date: Mar 28, 2026 09:06 AM
Fix Resolution : https://github.com/yahoo/serialize-javascript.git - v7.0.5
🟠CVE-2024-11831
Vulnerable Library - serialize-javascript-6.0.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
Publish Date: Feb 10, 2025 03:27 PM
URL: CVE-2024-11831
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.1%
Score: 5.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p7-773f-r4q5
Release Date: Feb 10, 2025 03:27 PM
Fix Resolution : serialize-javascript - 6.0.2
🟡CVE-2025-68157
Vulnerable Library - webpack-5.75.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.75.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
terser-webpack-plugin-5.3.6.tgz (Root Library)
webpackbar-5.0.2.tgz (Root Library)
mini-css-extract-plugin-2.7.2.tgz (Root Library)
❌ webpack-5.75.0.tgz (Vulnerable Library)
webpack-plugin-injector-1.0.7.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.
Publish Date: Feb 05, 2026 11:08 PM
URL: CVE-2025-68157
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 3.7
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-38r7-794h-5758
Release Date: Feb 05, 2026 11:15 PM
Fix Resolution : webpack - 5.104.0
🟡CVE-2025-68458
Vulnerable Library - webpack-5.75.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.75.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
terser-webpack-plugin-5.3.6.tgz (Root Library)
webpackbar-5.0.2.tgz (Root Library)
mini-css-extract-plugin-2.7.2.tgz (Root Library)
❌ webpack-5.75.0.tgz (Vulnerable Library)
webpack-plugin-injector-1.0.7.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.
Publish Date: Feb 05, 2026 11:08 PM
URL: CVE-2025-68458
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 3.7
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-8fgc-7cc6-rx7x
Release Date: Feb 05, 2026 11:15 PM
Fix Resolution : webpack - 5.104.1
🟡CVE-2025-69873
Vulnerable Library - ajv-6.12.6.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
terser-webpack-plugin-5.3.6.tgz (Root Library)
webpack-5.75.0.tgz (Root Library)
webpack-plugin-injector-1.0.7.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$ ") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.
Publish Date: Feb 11, 2026 12:00 AM
URL: CVE-2025-69873
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 2.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-2g4f-4pwh-qvx6
Release Date: Feb 11, 2026 12:00 AM
Fix Resolution : https://github.com/ajv-validator/ajv.git - v8.18.0,https://github.com/ajv-validator/ajv.git - v6.14.0