5 matches found
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
Summary Source code may be stolen when you access a malicious web site with non-Chromium based browser. Details The Origin header is checked to prevent Cross-site WebSocket hijacking from happening which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address Origin header...
CVE-2025-30360 webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The Origin header is checked to prevent Cross-si...
-tompan-reacttemplate (>=1.0.1 <=1.1.0), 0726react (=0.1.1) +23456 more potentially affected by CVE-2018-14732 via webpack-dev-server (>=1.10.1 <=3.1.10)
webpack-dev-server NPM version =1.10.1, =1.0.1, =1.1.0 - 0726react =0.1.1 - 0x0.icu.anima =0.1.0 - 0xgank-tea-advice-pull =1.0.0 - 0xgank-tea-balance-pencil =1.0.0 - 0xgank-tea-brick-bell =1.0.0 - 0xgank-tea-cake-victory =1.0.0 - 0xgank-tea-central-compound =1.0.0 - 0xgank-tea-characteristic =1.0...
CVE-2018-14732
An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR Hot Module Replacement. Anyone can receive the HMR message sent by the WebSocket...
CVE-2018-14732
CVE-2018-14732 affects webpack-dev-server before 3.1.6. The WebSocket server used for Hot Module Replacement does not validate the request origin, allowing any origin (including ws://127.0.0.1:8080/) to receive HMR messages. This can enable an attacker to access a developer’s source code from a p...