7 matches found
CVE-2018-14732
CVE-2018-14732 affects webpack-dev-server before 3.1.6. The WebSocket server used for Hot Module Replacement does not validate the request origin, allowing any origin (including ws://127.0.0.1:8080/) to receive HMR messages. This can enable an attacker to access a developer’s source code from a p...
CVE-2025-30360
The CVE-2025-30360 entry concerns webpack-dev-server prior to v5.2.1, where an Origin header check for WebSocket connections was insufficient, allowing IP-based origins to access the WebSocket and potentially exfiltrate source code to malicious sites using non-Chromium browsers. The issue is miti...
CVE-2025-30359
Webpack-dev-server CVE-2025-30359 affects the development server used to serve webpack bundles. Before version 5.2.1, an attacker could steal a user’s source code via a malicious site by injecting a script and abusing prototype pollution; exploitation could reveal code through webpack_modules via...
CVE-2026-9595
The CVE affects webpack-dev-server where a user-configured proxy with a broad context (e.g., /) and ws: true intercepts the dev server’s HMR WebSocket, forwarding it to the proxy target. This can leak cookies and Origin headers to the backend, bypass Host/Origin validation, and corrupt the HMR so...
CVE-2026-6402
The CVE-2026-6402 entry concerns webpack-dev-server (versions up to 5.2.3) and a cross-origin source code exposure when served over non-HTTPS/or untrusted origins. The root cause is that the prior fix relied on Sec-Fetch-Mode and Sec-Fetch-Site headers, which browsers omit for non-trustworthy ori...
CVE-2026-14620
webpack-dev-server prior to 5.2.6 exposes two internal endpoints (/webpack-dev-server/open-editor and /webpack-dev-server/invalidate) that perform state-changing actions on any GET request without origin verification. This enables cross-origin interactions when a user visits any website while the...
CVE-2026-14631
Vulnerability overview: CVE-2026-14631 affects webpack-dev-server up to version 5.2.5. An unauthenticated peer sending a normal HTTP request with a malformed Host header or a WebSocket upgrade to /ws with a malformed Origin header triggers an uncaught exception in the host-validation path, crashi...