CVE-2025-30359 is a medium-severity vulnerability affecting versions of webpack-dev-server prior to 5.2.1. webpack-dev-server is a popular development tool that provides live reloading capabilities for webpack-based projects, allowing developers to see code changes in real time during development. The vulnerability arises because the server exposes a dangerous method or function that can be exploited by attackers to steal source code. Specifically, the issue stems from the fact that requests for classic script files via script tags are not restricted by the same-origin policy, enabling an attacker who knows the target's port and output entrypoint script path to inject malicious scripts on a malicious website. This injection, combined with prototype pollution, allows the attacker to gain references to webpack runtime variables. By invoking the `Function::toString` method on values within the `__webpack_modules__` object, the attacker can extract the source code of the application being served by the webpack-dev-server. This exposure compromises the confidentiality of the source code but does not affect integrity or availability. The vulnerability requires the attacker to know specific details such as the port and script path and requires user interaction (visiting a malicious site). The issue was patched in version 5.2.1 of webpack-dev-server. No known exploits are currently reported in the wild.

For European organizations, this vulnerability primarily threatens the confidentiality of proprietary source code during development. Organizations using vulnerable versions of webpack-dev-server in their development environments risk unauthorized disclosure of intellectual property if developers visit malicious websites crafted to exploit this flaw. While this does not directly impact production systems, leaked source code can facilitate further attacks such as reverse engineering, vulnerability discovery, or intellectual property theft. The impact is particularly significant for software development firms, technology companies, and any organization relying on webpack for frontend development. Since the vulnerability requires user interaction and knowledge of specific server details, the risk is somewhat limited but still notable. Exposure of source code can also lead to reputational damage and potential compliance issues under data protection regulations if sensitive information is embedded in the code. The vulnerability does not affect system integrity or availability, so operational disruption is unlikely.

European organizations should immediately upgrade all instances of webpack-dev-server to version 5.2.1 or later to apply the patch that fixes this vulnerability. Development teams should audit their environments to identify any usage of vulnerable versions, including local developer machines, CI/CD pipelines, and shared development servers. Network segmentation and firewall rules should be employed to restrict access to development servers, especially limiting exposure of development ports to untrusted networks or the internet. Developers should be educated about the risks of visiting untrusted websites while connected to development environments. Additionally, consider disabling or restricting live reloading features in sensitive environments if possible. Monitoring network traffic for unusual requests to development server ports can help detect exploitation attempts. Finally, review and sanitize any prototype pollution vectors in the application code to reduce the risk of combined exploitation.