Webpack AutoPublicPathRuntimeModule DOM Clobbering Vulnerability Exposes Applications to XSS — CVE-2024-43788

A critical DOM Clobbering vulnerability has been identified in Webpack's `AutoPublicPathRuntimeModule`, potentially enabling Cross-Site Scripting (XSS) attacks in applications that rely on affected versions of the bundler. The flaw, tracked as CVE-2024-43788 and catalogued under GHSA-4vvj-4cpr-p986, affects webpack versions prior to the security patch released in version 5.104.1.

Security researchers discovered that the `AutoPublicPathRuntimeModule` contains a gadget that can be exploited through DOM Clobbering techniques. This class of vulnerability occurs when an attacker manipulates HTML elements to override global JavaScript variables or functions, allowing injection of malicious behavior into otherwise trusted application code. The XSS risk emerges when webpack-generated runtime code processes paths dynamically, creating an attack vector for adversaries to execute arbitrary scripts within a victim's browser session. Organizations using webpack for frontend build pipelines face exposure if user-controlled data reaches path resolution functions without proper sanitization.

The vulnerability has been addressed through an upgrade to webpack 5.104.1, which patches the problematic runtime module. Development teams are urged to audit their dependency trees, verify whether `AutoPublicPathRuntimeModule` is present in their bundled outputs, and apply the security update immediately. Given the widespread adoption of webpack as a primary build tool for web applications, the potential blast radius of this flaw remains significant across the JavaScript ecosystem. Automated dependency management tools have begun rolling out notifications to repositories flagged as vulnerable.