Critical DOM Clobbering XSS Vulnerability Found in Webpack 5 AutoPublicPathRuntimeModule — CVE-2024-43788

A significant security vulnerability has been identified in Webpack 5's `AutoPublicPathRuntimeModule`, exposing applications to Cross-Site Scripting (XSS) attacks through a technique known as DOM Clobbering. Tracked as CVE-2024-43788 and catalogued under GHSA-4vvj-4cpr-p986, the flaw affects all webpack versions up to and including 5.93.0. Security researchers discovered that the module's handling of runtime code creates an exploitable gadget that allows attackers to clobber legitimate global variables, ultimately enabling arbitrary script execution in the context of a victim's browser.

The vulnerability specifically leverages DOM Clobbering, a method where malicious HTML elements with specific `id` or `name` attributes override JavaScript variables in the global scope. When webpack's `AutoPublicPathRuntimeModule` attempts to resolve public path information at runtime, a crafted HTML document can intercept and redirect the execution flow. This differs from traditional XSS vectors in that it requires no direct injection of script tags — the attack surface lies in how the runtime module interacts with the DOM environment.

Developers using affected webpack versions are strongly advised to upgrade to version 5.104.1 immediately. The update patches the vulnerable code path in `AutoPublicPathRuntimeModule` and restores safe behavior for public path resolution. Organizations with complex build pipelines should audit their webpack configurations, particularly those employing dynamic `publicPath` settings, as these patterns may increase exposure to exploitation scenarios. Given the widespread adoption of webpack as a primary bundler for web applications, the potential blast radius of this vulnerability extends across a broad spectrum of production environments.