Terser-Webpack-Plugin 4.2.3 Exposes Critical Supply Chain Risk with 15 Vulnerabilities

A widely used JavaScript build tool, terser-webpack-plugin version 4.2.3, has been flagged with 15 distinct vulnerabilities, including one rated with a critical CVSS score of 8.8. The security scan reveals a deeply embedded supply chain risk, as these flaws are not only present but are also classified as 'reachable,' meaning they can be potentially exploited through the application's normal execution paths. This situation highlights a critical exposure point for any project or enterprise relying on this specific version of the plugin for code minification and bundling.

The primary vulnerability, CVE-2022-25883, is a medium-severity issue (CVSS 5.3) originating in a transitive dependency, `semver-6.3.0.tgz`. The path to the vulnerable library is traced directly to a project's `package.json` file, demonstrating how a single outdated package can introduce multiple security weaknesses into a software stack. According to the report, a remediation is possible by upgrading the terser-webpack-plugin to version 5.0.0 or later, which contains the necessary fixes.

This discovery places immediate pressure on development and security teams across countless web applications. The plugin's role in front-end build processes makes it a high-value target for supply chain attacks. Organizations must now audit their dependency trees, prioritize patching this component, and reassess their vulnerability management for transitive dependencies to prevent potential code execution or data compromise.