CVE-2025-30360

An information exposure flaw has been discovered in webpack-dev-server. When accessing third party web sites with a non-Chromium based browser, a cross origin request may be allowed. This issue can result in the source code being stolen for users that use a predictable port and a non-Chromium bas...

CVE-2025-30359

An information exposure flaw has been discovered in webpack-dev-server. The request for classic script by a script tag is not subject to the same origin policy, allowing an attacker to inject a malicious script in their site and run the script. The attacker is required to know the port and the...

Exposed Dangerous Method or Function

Overview org.webjars.npm:webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via the webpackmodules object. An attacker can...

CVE-2025-30360

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The Origin header is checked to prevent Cross-si...

CVE-2025-30359

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same...

CVE-2025-30360 webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The Origin header is checked to prevent Cross-si...

CVE-2025-30360

The CVE-2025-30360 entry concerns webpack-dev-server prior to v5.2.1, where an Origin header check for WebSocket connections was insufficient, allowing IP-based origins to access the WebSocket and potentially exfiltrate source code to malicious sites using non-Chromium browsers. The issue is miti...

CVE-2025-30360 webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The Origin header is checked to prevent Cross-si...

CVE-2025-30360 webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The Origin header is checked to prevent Cross-si...

CVE-2025-30359 webpack-dev-server users' source code may be stolen when they access a malicious web site

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same...

CVE-2025-30359 webpack-dev-server users' source code may be stolen when they access a malicious web site

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same...

CVE-2025-30359

Webpack-dev-server CVE-2025-30359 affects the development server used to serve webpack bundles. Before version 5.2.1, an attacker could steal a user’s source code via a malicious site by injecting a script and abusing prototype pollution; exploitation could reveal code through webpack_modules via...

CVE-2025-30359 webpack-dev-server users' source code may be stolen when they access a malicious web site

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same...

PT-2025-23648 · Unknown · Webpack-Dev-Server

Name of the Vulnerable Software and Affected Versions: webpack-dev-server versions prior to 5.2.1 Description: The issue allows an attacker to steal users' source code when they access a malicious website. This is possible because the request for a classic script by a script tag is not subject to...

PT-2025-23649 · Unknown · Webpack-Dev-Server

Name of the Vulnerable Software and Affected Versions: webpack-dev-server versions prior to 5.2.1 Description: The issue allows an attacker to obtain source code via a method similar to that used to exploit a previously reported vulnerability. This is possible because webpack-dev-server always...

webpack-dev-server 安全漏洞

webpack-dev-server is a webpack open source application that provides webpack. A security vulnerability exists in webpack-dev-server versions prior to 5.2.1, which stems from the possibility of source code theft when a user visits a malicious website...

webpack-dev-server 访问控制错误漏洞

webpack-dev-server is a webpack open source application that provides webpack. An access control error vulnerability exists in webpack-dev-server versions prior to 5.2.1, which stems from the possibility of source code theft when visiting a malicious website using a non-Chromium-based browser...

MAL-2023-1343 Malicious code in webpack-dev-server.legacy (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 85cd0dbb01e0045658eb423c4580a09f07f36ce5af1689227f99e72348cda4a6 The OpenSSF Package Analysis project identified 'webpack-dev-server.legacy' @ 1.0.0 npm as malicious. It is considered malicious because: - The...

MAL-2022-7105 Malicious code in webpback-dev-esrver (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5a8d0d272d86340f504944bad6bcbfca405fd215d44bdb0a9b2e77110713c88a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-W3J4-76QW-WWJM Older releases of better_errors open to Cross-Site Request Forgery attack

Impact bettererrors prior to 2.8.0 did not implement CSRF protection for its internal requests. It also did not enforce the correct "Content-Type" header for these requests, which allowed a cross-origin "simple request" to be made without CORS protection. These together left an application with...