GitHub Advisory DatabaseGHSA-37Q6-576Q-VGR7Missing Origin Validation in parcel-bundler
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.003 Low
EPSS
Percentile
66.3%
Versions of parcel-bundler before 1.10.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer’s source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.
Recommendation
Update to version 1.10.0 or later.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| parcel-bundler | lt | 1.10.0 |
References
blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages
blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages)
github.com/advisories/GHSA-37q6-576q-vgr7
github.com/parcel-bundler/parcel/commit/066e0bf6bd26b15c78bd47df023452e4b20073e4
github.com/parcel-bundler/parcel/issues/1783
github.com/parcel-bundler/parcel/pull/1794
nvd.nist.gov/vuln/detail/CVE-2018-14731
www.npmjs.com/advisories/721
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.003 Low
EPSS
Percentile
66.3%