Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRmYzQtY2hnNy1oOGdo

Unprotected dynamically loaded chunks

Impact

All dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-level chunks are unaffected.

Patches

This issue is patched in version 1.5.1.

Workarounds

N/A

References

https://github.com/waysact/webpack-subresource-integrity/issues/131

For more information

If you have any questions or comments about this advisory:

Comment on webpack-subresource-integrity issue #131
Or email us at [email protected]

Permalink: https://github.com/advisories/GHSA-4fc4-chg7-h8gh
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRmYzQtY2hnNy1oOGdo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: over 1 year ago

CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-4fc4-chg7-h8gh, CVE-2020-15262
References:

Repository: https://github.com/waysact/webpack-subresource-integrity
Blast Radius: 21.5

Affected Packages

npm:webpack-subresource-integrity

Dependent packages: 172
Dependent repositories: 649,528
Downloads: 12,747,046 last month
Affected Version Ranges: < 1.5.1
Fixed in: 1.5.1
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.5.0
All unaffected versions: 1.5.1, 1.5.2, 5.0.0, 5.1.0