CVE-2020-15262
integrity hash vulnerability in webpack-subresource-integrity (npm)
What is CVE-2020-15262 About?
Dynamically loaded chunks by `webpack-subresource-integrity` versions before 1.5.1 receive an invalid integrity hash, which browsers ignore, thus disabling Subresource Integrity (SRI) protection for these assets. This removes a critical security layer, making clients vulnerable to supply-chain attacks if a chunk is maliciously modified. Exploitation would require a compromise of the content delivery pipeline.
Affected Software
Technical Details
The webpack-subresource-integrity plugin, in versions prior to 1.5.1, incorrectly generates or assigns the integrity hash for dynamically loaded JavaScript chunks (e.g., those loaded via import() or require.ensure). While top-level chunks are unaffected, any subsequent chunks loaded by the browser will carry an invalid integrity hash. Browsers, upon encountering an invalid or improperly formatted integrity hash in a <script> or <link> tag with an integrity attribute, will not attempt to validate the resource's integrity against the hash; instead, they will simply ignore the integrity attribute and load the resource without verification. This effectively renders the Subresource Integrity (SRI) protection moot for these dynamic chunks. An attacker who manages to compromise the server hosting these chunks or the Content Delivery Network (CDN) can modify the chunk content. Without valid SRI checks, the compromised chunk will be loaded and executed by the user's browser, potentially leading to client-side attacks like XSS, data theft, or malware delivery, as the browser has no mechanism to detect the tampering.
What is the Impact of CVE-2020-15262?
Successful exploitation may allow attackers to serve tampered dynamic JavaScript chunks, leading to client-side code execution, data compromise, or defacement, as the browser's integrity checks are bypassed.
What is the Exploitability of CVE-2020-15262?
Exploitation of this vulnerability requires an attacker to successfully compromise the server or CDN hosting the vulnerable application's dynamic chunks. The vulnerability itself is a client-side bypass of a security control (SRI), meaning the attacker's primary challenge is the indirect compromise of the content source that serves these dynamic chunks. No authentication or specific privileges on the user's machine are needed. The attack is remote, contingent on the attacker's ability to inject malicious code into the served chunks. The complexity is high, as it relies on a supply-chain attack or direct server compromise. The lack of SRI provides a window for payload delivery once such a compromise occurs. This vulnerability significantly increases the risk should a content delivery mechanism be breached, as the intended integrity protection is absent.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-15262?
Available Upgrade Options
- webpack-subresource-integrity
- <1.5.1 → Upgrade to 1.5.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/waysact/webpack-subresource-integrity/commit/3d7090c08c333fcfb10ad9e2d6cf72e2acb7d87f
- https://github.com/waysact/webpack-subresource-integrity/security/advisories/GHSA-4fc4-chg7-h8gh
- https://github.com/waysact/webpack-subresource-integrity/issues/131
- https://osv.dev/vulnerability/GHSA-4fc4-chg7-h8gh
- https://github.com/waysact/webpack-subresource-integrity/issues/131
- https://nvd.nist.gov/vuln/detail/CVE-2020-15262
- https://github.com/waysact/webpack-subresource-integrity
- https://github.com/waysact/webpack-subresource-integrity/security/advisories/GHSA-4fc4-chg7-h8gh
- https://github.com/waysact/webpack-subresource-integrity/commit/3d7090c08c333fcfb10ad9e2d6cf72e2acb7d87f
What are Similar Vulnerabilities to CVE-2020-15262?
Similar Vulnerabilities: CVE-2016-5287 , CVE-2019-15822 , CVE-2020-28498 , CVE-2021-23358 , CVE-2022-21223
