Description
Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer’s source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.
Recommendation
Update the webpack-dev-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.1.11
- Patched version(s): 3.1.11
References
Related Issues
- webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browse - CVE-2025-30360
- mongosh vulnerable to local privilege escalation - CVE-2025-1756
- @langchain/community SQL Injection vulnerability - CVE-2024-7042
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- webpack-dev-server
Anything's wrong? Let us know Last updated on January 09, 2023