CVE-2025-30360 webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The Origin header is checked to prevent Cross-si...

CVE-2025-30359 webpack-dev-server users' source code may be stolen when they access a malicious web site

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same...

CVE-2025-30359

Webpack-dev-server CVE-2025-30359 affects the development server used to serve webpack bundles. Before version 5.2.1, an attacker could steal a user’s source code via a malicious site by injecting a script and abusing prototype pollution; exploitation could reveal code through webpack_modules via...

CVE-2025-30359 webpack-dev-server users' source code may be stolen when they access a malicious web site

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same...

CVE-2025-30359 webpack-dev-server users' source code may be stolen when they access a malicious web site

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same...

webpack-dev-server 访问控制错误漏洞

webpack-dev-server is a webpack open source application that provides webpack. An access control error vulnerability exists in webpack-dev-server versions prior to 5.2.1, which stems from the possibility of source code theft when visiting a malicious website using a non-Chromium-based browser...

webpack-dev-server 安全漏洞

webpack-dev-server is a webpack open source application that provides webpack. A security vulnerability exists in webpack-dev-server versions prior to 5.2.1, which stems from the possibility of source code theft when a user visits a malicious website...

PT-2025-23649 · Unknown · Webpack-Dev-Server

Name of the Vulnerable Software and Affected Versions: webpack-dev-server versions prior to 5.2.1 Description: The issue allows an attacker to obtain source code via a method similar to that used to exploit a previously reported vulnerability. This is possible because webpack-dev-server always...

PT-2025-23648 · Unknown · Webpack-Dev-Server

Name of the Vulnerable Software and Affected Versions: webpack-dev-server versions prior to 5.2.1 Description: The issue allows an attacker to steal users' source code when they access a malicious website. This is possible because the request for a classic script by a script tag is not subject to...

VulnCheck KEV: CVE-2025-31125

Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected...

CVE-2023-3348

The Wrangler command line tool [email protected] or [email protected] was affected by a directory traversal vulnerability when running a local development server for Pages wrangler pages dev command. This vulnerability enabled an attacker in the same network as the victim to connect to the local...

MAL-2025-4036 Malicious code in vue-dev-serverr (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a206a0d6714ab34f1c8c8d7893e516f6babb7bb3bb786fa679bde0c300e4815f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Directory Traversal

Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal through the server.fs.deny configuration due to improper input sanitization. An attacker can bypass server.fs.deny with /. for files under project root...

GHSA-859W-5945-R5V3 Vite's server.fs.deny bypassed with /. for files under project root

Summary The contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Only files that are under project root and a...

SUSE CVE-2025-32395

Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec RFC 9112 does not allow in request-target. Although an attacker can sen...

GHSA-356W-63V5-8WF4 Vite has an `server.fs.deny` bypass with an invalid `request-target`

Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. Impact Only apps with the following conditions are affected. - explicitly exposing the Vite dev server to the network using --host or server.host config option - running the Vite de...

Information Exposure

Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Information Exposure due to the handling of req.url which may contain unexpected characters such as . An attacker can access and retrieve the contents of arbitrary files by...

GHSA-XCJ6-PQ6G-QJ4X Vite allows server.fs.deny to be bypassed with .svg or relative paths

Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details .svg Requests ending with .svg are loaded at this line...

Vite allows server.fs.deny to be bypassed with .svg or relative paths

Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details .svg Requests ending with .svg are loaded at this line...

Incorrect Authorization

Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Incorrect Authorization via the bypass of the server.fs.deny restriction. An attacker can access restricted files by appending ?.svg with ?.wasm?init or with sec-fetch-dest...