Severity: high

Missing Origin Validation

webpack-dev-server

Overview

Versions of webpack-dev-server before 3.1.6 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Remediation

Update to version 3.1.6 or later.

Advisory timeline

  1. Created

    2018-11-07T17:10:22.191Z
  2. Updated

    2018-11-07T20:42:37.823Z