Intel

AIKIDO-2026-318059

webpack is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

38

Low Risk

This Affects:

JSwebpack
5.0.0 - 5.107.1
Fixed in 5.107.2
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to prototype pollution when processing the webpackEntryOptions magic comment on worker and other async entrypoints. In WorkerPlugin, user-supplied options were copied with Object.assign without filtering dangerous keys such as __proto__, constructor, or prototype. When a later async block joined an already-created entrypoint, buildChunkGraph would gap-fill missing entrypoint.options from those comments without sanitization, allowing crafted magic comments to mutate Object.prototype during the build. This can lead to unpredictable build behavior, corrupted plugin logic, or downstream security issues depending on how polluted prototypes are later consumed.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your build bundles worker or other async entrypoints that use the webpackEntryOptions magic comment, especially when multiple async blocks share the same entrypoint name or resolve to the same module.

Background info

webpack is vulnerable to Prototype Pollution in versions 5.0.0 - 5.107.1.

How to fix this

Upgrade the webpack library to the patch version.