Skip to content

Missing Origin Validation in webpack-dev-server

high severity Published Jan 4, 2019 • Updated Sep 9, 2021

Package

npm webpack-dev-server (npm)

Affected versions

< 3.1.11

Patched versions

3.1.11

Description

Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Recommendation

For webpack-dev-server 2.x update to version 2.11.4 or later.
For webpack-dev-server 3.x update to version 3.1.11 or later.

References

CVE ID

CVE-2018-14732

CVSS Score

7.5 High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N