CVE-2020-15262

Invalid integrity hashes in webpack-subresource-integrity

Description

In webpack-subresource-integrity before version 1.5.1, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-level chunks are unaffected. This issue is patched in version 1.5.1.

Category

3.7
CVSS
Severity: Low
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.16%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com
Affected: waysact webpack-subresource-integrity
Published at:
Updated at:

References

Link Tags
https://github.com/waysact/webpack-subresource-integrity/security/advisories/GHSA-4fc4-chg7-h8gh third party advisory
https://github.com/waysact/webpack-subresource-integrity/issues/131 third party advisory
https://github.com/waysact/webpack-subresource-integrity/commit/3d7090c08c333fcfb10ad9e2d6cf72e2acb7d87f third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2020-15262?
CVE-2020-15262 has been scored as a low severity vulnerability.
How to fix CVE-2020-15262?
To fix CVE-2020-15262, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-15262 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2020-15262 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-15262?
CVE-2020-15262 affects waysact webpack-subresource-integrity.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.