Description
Versions of browserify-hmr prior to 0.4.0 are missing origin validation on the websocket server.
This vulnerability allows a remote attacker to steal a developer’s source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.
Recommendation
Update the browserify-hmr package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.4.0
- Patched version(s): 0.4.0
References
- GHSA-77q4-m83q-w76v
- blog.cal1.cn){:target=”_blank”}{:rel=”noopener noreferrer”}
- www.npmjs.com
- CVE-2018-14730
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- mpregular vulnerable to prototype pollution - CVE-2025-57323
- DOMPurify allows Cross-site Scripting (XSS) - CVE-2025-26791
- lite-server vulnerable to Denial of Service - CVE-2022-25940
- Manifest Uses a One-Way Hash without a Salt - CVE-2025-27408
- Tags:
- npm
- browserify-hmr
Anything's wrong? Let us know Last updated on January 09, 2023