All webpack CVEs — Complete Vulnerability History

Last updated: April 1, 2026 · Data: OSV Database

webpack is the most widely-used JavaScript bundler. CVEs in webpack are relatively rare given its complexity and age. The main CVE is a prototype pollution via import.meta handling.

npm 25M+ weekly downloads 2 CVEs total

Full CVE history

CVE	Year	Severity	Description	Fix
CVE-2019-10742	2019	HIGH	DoS via crafted JSON file	Fixed 4.28.4
CVE-2023-28154	2023	HIGH	Prototype pollution via import.meta	Fixed 5.75.0

Current safe version: 5.75.0

# Before

"webpack": "5.69.0"

# After

"webpack": "5.75.0"

Then run: npm install

webpack CVEs and safe versions

webpack is a dev dependency in most projects — it runs only during the build process, not in production. CVEs in webpack rarely affect runtime security, but supply chain attacks targeting build tools are an increasing concern.

Known webpack CVEs

CVE	Severity	Description	Safe Version
CVE-2023-28154	HIGH	Prototype pollution via loader options	5.76.0+
webpack-dev-middleware	HIGH	CVE-2024-29180 — path traversal	wdm 7.1.0+

Fix webpack

# Update webpack
npm install webpack@latest --save-dev

# If using webpack-dev-middleware separately
npm install webpack-dev-middleware@latest --save-dev

# Check what version you have
npm list webpack webpack-dev-middleware

webpack and cross-spawn

webpack-cli pulls in cross-spawn as a transitive dependency. If you are on an old webpack-cli version, you may be running cross-spawn 7.0.3 (CVE-2024-21538). Update webpack-cli to get the patched version:

npm install webpack-cli@latest --save-dev
npm list cross-spawn
# Should show 7.0.6

Dev dependencies and security

webpack is a devDependency. Its CVEs affect your CI/CD environment and developer machines, not your production runtime. This matters for threat modelling — a webpack CVE that requires local code execution is lower severity in practice than the CVSS score suggests for typical projects.

Paste your manifest — see your exact versions against the full CVE history.

Scan with PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

Does webpack 4 still receive security patches?

webpack 4 is in maintenance mode. CVE-2023-28154 only affects webpack 5. For webpack 4, check if you're affected and consider upgrading to webpack 5.

What is the import.meta prototype pollution in webpack?

CVE-2023-28154 allows prototype pollution via crafted import.meta expressions in processed JavaScript. Applications that process untrusted JavaScript through webpack are affected.