CVE-2026-9595 webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

Impact: When a user-configured proxy on webpack-dev-server has a broad context e.g. / and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin...

EUVD-2025-32619

Malicious code in webpack-dev-serve-middleware npm...

GHSA-4V9V-HFQ4-RM2V webpack-dev-server users' source code may be stolen when they access a malicious web site

Summary Source code may be stolen when you access a malicious web site. Details Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject in their site and run the script. Note that the attacker has to know the port and the output entrypoi...

CVE-2024-29180

CVE-2024-29180 affects the webpack-dev-middleware development middleware used with webpack-dev-server/webpack-dev-middleware. The vulnerability arises from improper URL unescaping/normalization before parsing the requested file, allowing path traversal via sequences like %2e and %2f to access loc...