The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-30359

CVE-2025-30359: Webpack-dev-server XSS Vulnerability

CVE-2025-30359 is an XSS vulnerability in Webpack-dev-server that allows attackers to steal source code when users visit malicious websites. This article covers technical details, affected versions, and mitigation.

Updated: January 22, 2026

CVE-2025-30359 Overview

CVE-2025-30359 is a source code disclosure vulnerability affecting webpack-dev-server, a development server that provides live reloading capabilities for webpack users. Prior to version 5.2.1, users' source code may be stolen when they access a malicious web site due to improper handling of classic script requests.

Because requests for classic scripts via script tags are not subject to the same-origin policy, an attacker can inject a malicious script on their own site that targets the webpack-dev-server. When combined with prototype pollution techniques, the attacker can obtain references to webpack runtime variables and extract source code using Function::toString against values in __webpack_modules__.

Critical Impact

Attackers can steal application source code from developers running vulnerable webpack-dev-server instances, potentially exposing proprietary code, API keys, and sensitive business logic.

Affected Products

  • webpack.js webpack-dev-server versions prior to 5.2.1

Discovery Timeline

  • June 3, 2025 - CVE CVE-2025-30359 published to NVD
  • October 3, 2025 - Last updated in NVD database

Technical Details for CVE-2025-30359

Vulnerability Analysis

This vulnerability exploits a fundamental browser security gap where classic script requests made via <script> tags bypass same-origin policy restrictions. webpack-dev-server, which typically runs on localhost during development, serves JavaScript bundles that include the application's source code embedded within the __webpack_modules__ object.

The exploitation requires the attacker to know two pieces of information: the port number the webpack-dev-server is running on and the path to the output entrypoint script. In many development environments, these values are predictable defaults (commonly port 8080 and standard webpack output paths like /main.js or /bundle.js).

Once the attacker includes the victim's webpack bundle via a script tag on a malicious page, they can leverage prototype pollution techniques to gain access to the webpack runtime internals. The __webpack_modules__ object contains function references for each module in the application. By calling Function.prototype.toString() on these module functions, the attacker can reconstruct the original source code.

Root Cause

The root cause is classified under CWE-749 (Exposed Dangerous Method or Function). webpack-dev-server exposes bundled JavaScript containing application source code without adequate protections against cross-origin inclusion. The server did not implement appropriate safeguards to prevent malicious websites from loading and extracting code from development bundles served to the browser.

Attack Vector

The attack is network-based and requires the victim developer to visit a malicious website while their webpack-dev-server is running. The attacker's malicious page includes a script tag pointing to the victim's local development server:

The malicious script tag loads the webpack bundle from the victim's localhost. Using prototype pollution, the attacker manipulates JavaScript prototypes to intercept or access webpack's internal module registry. Once access is gained to __webpack_modules__, iterating through the module functions and calling toString() on each reveals the original source code, which can then be exfiltrated to the attacker's server.

Note that while the attack complexity is elevated due to the requirement to know the port and script path, common development configurations use predictable values, reducing this barrier in practice.

Detection Methods for CVE-2025-30359

Indicators of Compromise

  • Unexpected cross-origin requests to webpack-dev-server ports from external domains
  • Browser console errors related to script loading from localhost on unfamiliar sites
  • Network traffic showing webpack bundle requests from external referrers
  • Evidence of prototype pollution attempts in application logs or monitoring

Detection Strategies

  • Monitor network traffic for requests to common webpack-dev-server ports (8080, 3000, 9000) from external origins
  • Implement Content Security Policy (CSP) headers in development environments to restrict script loading
  • Use browser developer tools to audit external script inclusions when visiting untrusted sites
  • Deploy network monitoring tools to detect suspicious cross-origin resource loading patterns

Monitoring Recommendations

  • Review webpack-dev-server access logs for requests with external Referer headers
  • Configure browser-based monitoring extensions to alert on localhost resource access from external sites
  • Audit development environment network configurations for unexpected exposure
  • Implement egress filtering to detect potential source code exfiltration

How to Mitigate CVE-2025-30359

Immediate Actions Required

  • Upgrade webpack-dev-server to version 5.2.1 or later immediately
  • Avoid visiting untrusted websites while webpack-dev-server is running
  • Configure firewall rules to restrict access to development server ports
  • Use non-default ports for webpack-dev-server to reduce predictability

Patch Information

The webpack-dev-server team has released version 5.2.1 which contains a fix for this vulnerability. The patch is available via the GitHub commit d2575ad8dfed9207ed810b5ea0ccf465115a2239. For full details on the vulnerability and remediation, refer to the GitHub Security Advisory GHSA-4v9v-hfq4-rm2v.

To update, run:

bash
npm update webpack-dev-server

or

bash
yarn upgrade webpack-dev-server

Workarounds

  • Bind webpack-dev-server to 127.0.0.1 only and ensure it's not accessible from external networks
  • Use firewall rules to block external access to development ports
  • Implement a local proxy or VPN that restricts development server access
  • Consider using browser profiles or containers to isolate development browsing from general web browsing
bash
# Configuration example
# Restrict webpack-dev-server to localhost only in webpack.config.js
# devServer: {
#   host: '127.0.0.1',
#   port: 8080,
#   allowedHosts: ['localhost', '127.0.0.1'],
# }

# Firewall rule to block external access (Linux iptables)
iptables -A INPUT -p tcp --dport 8080 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeXSS
  • Vendor/TechWebpack
  • SeverityMEDIUM
  • CVSS Score5.9
  • EPSS Probability0.05%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-749
  • Vendor Resources
  • GitHub Commit Change
  • GitHub Security Advisory GHSA-4v9v-hfq4-rm2v
  • Related CVEs
  • CVE-2025-30360: Webpack-dev-server XSS Vulnerability
  • CVE-2023-28154: Webpack.js Webpack XSS Vulnerability
  • CVE-2025-68458: Webpack SSRF Vulnerability
  • CVE-2025-68157: Webpack SSRF Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English