## Critical 9.8 CVSS Vulnerability in style-loader 1.3.0 Exposes Frontend Projects
A critical security flaw with a maximum CVSS score of 9.8 has been identified in the widely used `style-loader` npm package version 1.3.0. This vulnerability is flagged as 'reachable,' meaning the exploit path is active within dependent applications, posing an immediate and severe risk to any project that has not updated. The issue was detected in the dependency trees of at least two frontend projects, `/achilles-frontend/` and `/baak-vizualization/`, highlighting how a single compromised library can propagate across multiple codebases.

The vulnerability is part of a cluster of four security issues found within the `style-loader-1.3.0.tgz` archive. While the other three vulnerabilities are rated as 'Low' severity, the presence of a 9.8-rated flaw—the highest possible score—signals a critical failure in the library's security posture. The specific CVE details for the most severe issue are not fully disclosed in this report, but a CVSS score of 9.8 typically indicates vulnerabilities that are trivial to exploit and could lead to complete system compromise, such as remote code execution.

This discovery places urgent pressure on development and security teams to audit their dependency chains. The `style-loader` package is a fundamental tool in the webpack ecosystem for injecting CSS into the DOM, making its compromise a supply chain threat to a vast number of modern web applications. Organizations using affected versions must prioritize remediation, which may involve upgrading to a patched version of `style-loader` or implementing workarounds, though the report indicates remediation for some transitive dependencies may not be immediately possible.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, npm, supply-chain, vulnerability, frontend
- **Credibility**: unverified
- **Published**: 2026-04-09 01:27:10
- **ID**: 55927
- **URL**: https://whisperx.ai/en/intel/55927