Description
Versions of browserify-hmr prior to 0.4.0 are missing origin validation on the websocket server.
This vulnerability allows a remote attacker to steal a developer’s source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.
Recommendation
Update the browserify-hmr package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.4.0
- Patched version(s): 0.4.0
References
- GHSA-77q4-m83q-w76v
- blog.cal1.cn){:target=”_blank”}{:rel=”noopener noreferrer”}
- www.npmjs.com
- CVE-2018-14730
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Missing Origin Validation in webpack-dev-server - CVE-2018-14732
- @farmfe/core is Missing Origin Validation in WebSocket - CVE-2025-56647
- @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation - CVE-2026-26019
- Parse Server missing audience validation in Keycloak authentication adapter - CVE-2026-30949
- Tags:
- npm
- browserify-hmr
Anything's wrong? Let us know Last updated on January 09, 2023