Description
Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer’s source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.
Recommendation
Update the webpack-dev-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.1.11
- Patched version(s): 3.1.11
References
Related Issues
- webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins - CVE-2026-6402
- webpack-dev-server users' source code may be stolen when they access a malicious web site - CVE-2025-30359
- Missing Origin Validation in browserify-hmr - CVE-2018-14730
- webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browse - CVE-2025-30360
You might also like:
- Tags:
- npm
- webpack-dev-server
Anything's wrong? Let us know Last updated on January 09, 2023