Severity: high

Missing Origin Validation

parcel-bundler

Overview

Versions of parcel-bundler before 1.10.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Remediation

Update to version 1.10.0 or later.

Advisory timeline

  1. Created

    2018-11-02T03:41:24.051Z
  2. Updated

    2018-11-07T17:10:58.216Z