webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins

Severity:: Medium

Description

When webpack-dev-server is running on a non-HTTPS origin (the default), cross-origin requests from malicious websites can load the dev server’s JavaScript bundles via <script> tags. The fix introduced in v5.2.

Recommendation

Update the webpack-dev-server package to the latest compatible version. Followings are version details:

Affected version(s): <= 5.2.3
Patched version(s): 5.2.4

References

GHSA-79cf-xcqc-c78w
cna.openjsf.org
CVE-2026-6402
CWE-749
CAPEC-310
OWASP 2021-A6

Related Issues

webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browse - CVE-2025-30360
webpack-dev-server users' source code may be stolen when they access a malicious web site - CVE-2025-30359
Missing Origin Validation in webpack-dev-server - CVE-2018-14732
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99) - @nuxt/webpack-builder - CVE-2026-45670

Exploiting Server Version Disclosure

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; webpack-dev-server

Anything's wrong? Let us know Last updated on May 18, 2026