Description
Command
serve
Is this a regression?
- Yes, this behavior used to work in the previous version
The previous version in which this bug was not present was
No response
Description
From GHSA-9jgg-88mc-972h
Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables.
By using Function::toString against the values in webpack_modules, the attacker can get the source code.
Minimal Reproduction
- Download reproduction.zip and extract it
- Run npm i
- Run npx webpack-dev-server
- Open https://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/
- You can see the source code output in the document and the devtools console.
Exception or Error
Your Environment
Angular CLI: 18.2.19
Node: 22.14.0
Package Manager: npm 11.3.0
OS: win32 x64
Angular: 18.2.13
... animations, cdk, common, compiler, compiler-cli, core, forms
... language-service, material, platform-browser
... platform-browser-dynamic, router
Package Version
---------------------------------------------------------
@angular-devkit/architect 0.1802.19
@angular-devkit/build-angular 18.2.19
@angular-devkit/core 18.2.19
@angular-devkit/schematics 18.2.19
@angular/cli 18.2.19
@schematics/angular 18.2.19
rxjs 7.8.1
typescript 5.5.4
zone.js 0.14.10
Anything else relevant?
No response
Activity
alan-agius4 commentedon Jun 11, 2025
Closed via #30487
angular-automatic-lock-bot commentedon Jul 12, 2025
This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.
Read more about our automatic conversation locking policy.
This action has been performed automatically by a bot.