All webpack CVEs — Complete Vulnerability History
webpack is the most widely-used JavaScript bundler. CVEs in webpack are relatively rare given its complexity and age. The main CVE is a prototype pollution via import.meta handling.
npm
25M+ weekly downloads
2 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2019-10742 | 2019 | HIGH | DoS via crafted JSON file | Fixed 4.28.4 |
| CVE-2023-28154 | 2023 | HIGH | Prototype pollution via import.meta | Fixed 5.75.0 |
Current safe version: 5.75.0
# Before
"webpack": "5.69.0"
# After
"webpack": "5.75.0"
Then run: npm install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Does webpack 4 still receive security patches?
webpack 4 is in maintenance mode. CVE-2023-28154 only affects webpack 5. For webpack 4, check if you're affected and consider upgrading to webpack 5.
What is the import.meta prototype pollution in webpack?
CVE-2023-28154 allows prototype pollution via crafted import.meta expressions in processed JavaScript. Applications that process untrusted JavaScript through webpack are affected.