Security Vulnerability Using Webpack 4.46.0 #48
Description
Description:
I have identified a security vulnerability . The comlink-loader package currently relies on Webpack version 4.46.0, which is known to have a security issue tracked under CVE-2023-28154.
- CVE Identifier: CVE-2023-28154
- Reference: CVE-2023-28154
- CVSS Score: 9.8 (Critical)
- Category: CWE-noinfo
Vulnerability Details:
Webpack 4.46.0 is affected by CVE-2023-28154, which is a critical security vulnerability. Webpack 5 before version 5.76.0 is susceptible to this issue, and it can potentially lead to cross-realm object access. Specifically, the ImportParserPlugin.js mishandles the magic comment feature, and an attacker who controls a property of an untrusted object can obtain access to the real global object.
Recommendation:
To address this security vulnerability, I strongly recommend updating the package to use a version of Webpack that is equal to or greater than 5.76.0. This will ensure that the security issue is resolved.
Note:
I understand that this issue may not be directly within the control of the package maintainers, but I believe it's important to bring it to their attention for the safety and security of the user community.
Thank you for your attention to this matter.