Lucene search
Jiantao LiNODEJS:721HistoryNov 02, 2018 - 3:41 a.m.
Missing Origin Validation
2018-11-0203:41:24
Jiantao Li
www.npmjs.com
14
0.003 Low
EPSS
Percentile
66.3%
Overview
Versions of parcel-bundler before 1.10.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer’s source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.
Recommendation
Update to version 1.10.0 or later.
References
- [Sniffing Codes in Hot Module Reloading Messages
- ](https://blog.cal1.cn/post/Sniffing Codes in Hot Module Reloading Messages)
- GitHub Issue
- GitHub Pull Request
- GitHub Advisory
| CPE | Name | Operator | Version |
|---|---|---|---|
| parcel-bundler | lt | 1.10.0 |
Related
osv
osv
Missing Origin Validation in parcel-bundler
2018-10-30 20:36:53
veracode
veracode
Information Disclosure
2018-09-24 06:51:47
cve
cve
CVE-2018-14731
2018-09-21 17:29:05
cvelist
cvelist
CVE-2018-14731
2018-09-21 17:00:00
prion
prion
Code injection
2018-09-21 17:29:00
nvd
nvd
CVE-2018-14731
2018-09-21 17:29:05
github
github
Missing Origin Validation in parcel-bundler
2018-10-30 20:36:53