CVE-2023-28154
cross-realm object access vulnerability in webpack
What is CVE-2023-28154 About?
Webpack 5 before 5.76.0 is vulnerable to cross-realm object access due to mishandling of the magic comment feature. An attacker controlling an untrusted object property can gain access to the real global object. This high-severity vulnerability allows significant privilege escalation within a JavaScript environment.
Affected Software
Technical Details
The vulnerability in Webpack's `ImportParserPlugin.js` arises from its mishandling of the 'magic comment' feature, specifically concerning how it interacts with objects across different JavaScript realms (e.g., between a sandbox and the main execution environment or different contexts). When an attacker controls a property of an untrusted object, they can craft this property in a way that, when processed by `ImportParserPlugin.js` with magic comments, allows the untrusted object to escape its realm. This escape provides the attacker with access to the real global object of the main execution environment, effectively bypassing any isolation mechanisms and enabling powerful arbitrary code execution or manipulation.
What is the Impact of CVE-2023-28154?
Successful exploitation may allow attackers to escape sandboxed environments, gain access to the real global object, and potentially execute arbitrary code or manipulate application behavior.
What is the Exploitability of CVE-2023-28154?
Exploitation requires the attacker to be able to introduce or control an untrusted object that gets processed by Webpack during compilation. This is primarily a local vulnerability within the build process or a scenario where untrusted code is being processed. Authentication requirements depend on how an attacker can inject this untrusted object; typically, no direct authentication to Webpack itself is needed. The complexity is moderate, requiring knowledge of JavaScript realms and Webpack's internal parsing mechanisms. The risk factors include building projects with untrusted dependencies or allowing untrusted code to be processed by Webpack, especially in server-side compilation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-28154?
Available Upgrade Options
- webpack
- >5.0.0, <5.76.0 → Upgrade to 5.76.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/webpack/webpack/pull/16500
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G/
- https://osv.dev/vulnerability/GHSA-hc6q-2mpp-qw7j
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3
- https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D
- https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0
- https://nvd.nist.gov/vuln/detail/CVE-2023-28154
What are Similar Vulnerabilities to CVE-2023-28154?
Similar Vulnerabilities: CVE-2023-45133 , CVE-2021-23386 , CVE-2020-7798 , CVE-2021-39145 , CVE-2022-26279
