MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRmYzQtY2hnNy1oOGdo

Low EPSS: 0.00159% (0.37552 Percentile) EPSS:

Permalink JSON

Unprotected dynamically loaded chunks

Affected Packages	Affected Versions	Fixed Versions
npm:webpack-subresource-integrity PURL: `pkg:npm/webpack-subresource-integrity`	< 1.5.1	1.5.1
172 Dependent packages 649,528 Dependent repositories 15,456,664 Downloads last month Affected Version Ranges All affected versions 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 1.0.0, 1.0.0-rc.1, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.0-rc.1, 1.1.0-rc.2, 1.1.0-rc.3, 1.1.0-rc.4, 1.1.0-rc.5, 1.1.0-rc.6, 1.1.0-rc.7, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.5.0 All unaffected versions 1.5.1, 1.5.2, 5.0.0, 5.1.0

Impact

All dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-level chunks are unaffected.

Patches

This issue is patched in version 1.5.1.

Workarounds

N/A

References

https://github.com/waysact/webpack-subresource-integrity/issues/131

For more information

If you have any questions or comments about this advisory:

Comment on webpack-subresource-integrity issue #131
Or email us at security@waysact.com

References:

Identifiers

GHSA-4fc4-chg7-h8gh

CVE-2020-15262

Risk

Severity

Low

EPSS

EPSS Percentage: 0.00159

EPSS Percentile: 0.37552

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/waysact/webpack-subresource-integrity

Date and time

Published

about 5 years ago

Updated

almost 3 years ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories