## Webpack v5.104.1 Patches Critical DOM Clobbering Vulnerability (CVE-2024-43788)
A critical security update for the widely-used JavaScript module bundler Webpack patches a DOM Clobbering vulnerability that can lead to cross-site scripting (XSS) attacks. The flaw, tracked as CVE-2024-43788, resides in Webpack's `AutoPublicPathRuntimeModule`. This module is a core component for determining the public path of assets in web applications, making the vulnerability a significant risk for any project using an affected version.

The vulnerability allows an attacker to inject scriptless, attacker-controlled HTML elements—such as an `<i>` tag—into a web page. Through a technique known as DOM Clobbering, these elements can be used to manipulate the JavaScript environment and ultimately execute arbitrary code. The security advisory from the Webpack team indicates the issue was discovered internally, prompting the release of version 5.104.1 to address it. The update represents a jump from version 5.76.0, highlighting the importance of this security patch.

This vulnerability poses a direct threat to application security, as successful exploitation could compromise user data and session integrity. The dependency management bot Renovate has automatically generated a pull request for the update, classifying it with high confidence. Developers and organizations relying on Webpack for building web applications must prioritize applying this patch to mitigate the risk of XSS attacks stemming from this DOM Clobbering gadget.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, software vulnerability, open source, CVE-2024-43788, dependency management
- **Credibility**: unverified
- **Published**: 2026-03-27 05:27:03
- **ID**: 36871
- **URL**: https://whisperx.ai/en/intel/36871