Security Audit

Webpack Security Audit

4 known vulnerabilities

Webpack is a widely used npm package. As of 2026-05-24, there are 4 known vulnerabilities in the OSV database. The latest stable version is 5.107.1. Developers should audit their dependency trees and update to patched versions.

Package Overview

Package
webpack
Ecosystem
npm
Latest Version
5.107.1
License
MIT
Description
Packs ECMAScript/CommonJs/AMD modules for the browser. Allows you to split your codebase into multiple bundles, which can be loaded on demand. Supports loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Repository
https://github.com/webpack/webpack
Homepage
https://github.com/webpack/webpack

Known Vulnerabilities (4)

ID Severity Score Affected Versions Fixed In Description
CVE-2023-28154 CRITICAL 9.5 5.0.0 to 5.76.0 5.76.0 Cross-realm object access in Webpack 5
CVE-2024-43788 MODERATE 5.0 5.0.0-alpha.0 to 5.94.0 5.94.0 Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
CVE-2025-68157 LOW 2.5 5.49.0 to 5.104.0 5.104.0 webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence
CVE-2025-68458 LOW 2.5 5.49.0 to 5.104.1 5.104.1 webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior

Security Recommendations

  1. Pin Webpack to the latest stable version (5.107.1) in your dependency manifest
  2. Enable automated dependency updates with Dependabot or Renovate
  3. Run regular vulnerability scans using npm audit
  4. Review your lock file (.package-lock.json) after every update
  5. Monitor the OSV database and NIST NVD for new advisories

FAQ

Is Webpack safe to use?
Webpack is actively maintained and widely used. As of 2026-05-24, there are 4 known vulnerabilities listed in the OSV database. Most have patches available. Keeping your dependencies updated and running regular security audits significantly reduces risk.
What vulnerabilities does Webpack have?
The OSV database currently lists 4 vulnerabilities for Webpack. These range in severity and are detailed in the vulnerability table above. Check the linked advisories for full technical details and remediation guidance.
How do I update Webpack to fix vulnerabilities?
Run npm update webpack or npm install webpack@latest to get the newest version. Use npm audit to identify vulnerable dependencies in your project. Enable automated updates with Dependabot or Renovate to stay current.

Using AI-Generated Code with Webpack?

Our vibe coding security audit checks for misconfigurations, exposed secrets and vulnerable dependencies in AI-generated codebases. If your project uses Webpack, we can verify it is locked to a safe version and properly configured.

Get a Vibe Coding Security Audit

Related Resources