webpack is vulnerable to Prototype Pollution
38
Low Risk
Affected versions of this package are vulnerable to prototype pollution when processing the webpackEntryOptions magic comment on worker and other async entrypoints. In WorkerPlugin, user-supplied options were copied with Object.assign without filtering dangerous keys such as __proto__, constructor, or prototype. When a later async block joined an already-created entrypoint, buildChunkGraph would gap-fill missing entrypoint.options from those comments without sanitization, allowing crafted magic comments to mutate Object.prototype during the build. This can lead to unpredictable build behavior, corrupted plugin logic, or downstream security issues depending on how polluted prototypes are later consumed.
You are affected if you are using a version that falls within the vulnerable range and your build bundles worker or other async entrypoints that use the webpackEntryOptions magic comment, especially when multiple async blocks share the same entrypoint name or resolve to the same module.
webpack is vulnerable to Prototype Pollution in versions 5.0.0 - 5.107.1.
Upgrade the webpack library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant