How to fix CVE-2025-30359?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Is Webpack Dev Server affected by CVE-2025-30359?

Organizations using webpack-dev-server should be aware of moderate risk from CVE-2025-30359 rated CVSS 5.3. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available.

CVE-2025-30359

EUVD-2025-16767 MEDIUM

2025-06-03 [email protected]

GHSA-4v9v-hfq4-rm2v

5.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 17:04 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 17:04 euvd

EUVD-2025-16767

Patch Released

Mar 14, 2026 - 17:04 nvd

Patch available

PoC Detected

Oct 03, 2025 - 01:12 vuln.today

Public exploit code

CVE Published

Jun 03, 2025 - 18:15 nvd

MEDIUM 5.3

Description

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code. Version 5.2.1 contains a patch for the issue.

Analysis

A remote code execution vulnerability in webpack-dev-server (CVSS 5.3) that allows users. Risk factors: public PoC available. Vendor patch is available.

Technical Context

Vulnerability type: remote code execution. Affects webpack-dev-server.

Affected Products

['webpack-dev-server']

Remediation

Apply the vendor-supplied patch immediately.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +26

POC: +20

Vendor Status

CVE-2025-30359 vulnerability details – vuln.today

Back

CVE-2025-30359

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-30359

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code