What is the CVSS score of CVE-2025-30359?

CVE-2025-30359 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.2%.

Which versions of Webpack Dev Server are affected by CVE-2025-30359?

Organizations using webpack-dev-server should be aware of moderate risk from CVE-2025-30359 rated CVSS 5.3. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2025-30359?

Yes, a public proof-of-concept exploit is available for CVE-2025-30359. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2025-30359?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Webpack Dev Server CVE-2025-30359

EUVD-2025-16767 MEDIUM

Exposed Dangerous Method or Function (CWE-749)

2025-06-03 security-advisories@github.com

GHSA-4v9v-hfq4-rm2v

Code Injection Webpack Dev Server Red Hat

5.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.3 MEDIUM

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Red Hat

5.3 MEDIUM

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 17:04 euvd

EUVD-2025-16767

Analysis Generated

Mar 14, 2026 - 17:04 vuln.today

Patch released

Mar 14, 2026 - 17:04 nvd

Patch available

PoC Detected

Oct 03, 2025 - 01:12 vuln.today

Public exploit code

CVE Published

Jun 03, 2025 - 18:15 nvd

MEDIUM 5.3

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

33 npm packages depend on webpack-dev-server (14 direct, 21 indirect)

Ecosystem-wide dependent count for version 5.2.1.

DescriptionGitHub Advisory

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using Function::toString against the values in __webpack_modules__, the attacker can get the source code. Version 5.2.1 contains a patch for the issue.

AnalysisAI

A remote code execution vulnerability in webpack-dev-server (CVSS 5.3) that allows users. Risk factors: public PoC available. Vendor patch is available.

Technical ContextAI

Vulnerability type: remote code execution. Affects webpack-dev-server.

RemediationAI

Apply the vendor-supplied patch immediately.

More from same product – last 7 days

CVE-2026-9595 MEDIUM This Month

4.3 Jun 15

webpack-dev-server's WebSocket upgrade handler, when a proxy entry is configured with a broad path context (/) and ws: t

Vendor StatusVendor

CVE-2025-30359 vulnerability details – vuln.today

Back

Webpack Dev Server CVE-2025-30359

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code