Skip to content

Missing Origin Validation in webpack-dev-server

High severity GitHub Reviewed Published Jan 4, 2019 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm webpack-dev-server (npm)

Affected versions

< 3.1.11

Patched versions

3.1.11

Description

Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Recommendation

For webpack-dev-server update to version 3.1.11 or later.

References

Published to the GitHub Advisory Database Jan 4, 2019
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2018-14732

GHSA ID

GHSA-cf66-xwfp-gvc4

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.