Severity: high

    Missing Origin Validation

    webpack-dev-server

    Overview

    Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

    Remediation

    For webpack-dev-server 2.x update to version 2.11.4 or later. For webpack-dev-server 3.x update to version 3.1.11 or later.

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. Created

      2018-11-07T17:10:22.191
    2. Updated

      2019-04-12T20:15:22.334