Severity: high

Missing Origin Validation

browserify-hmr

Overview

All versions of browserify-hmr are missing origin validation on the websocket server.

This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Remediation

As there is currently no fix for this module we recommend not using this module or using caution and understanding and accepting the risk posed by using this module for development.

Advisory timeline

  1. Created

    2018-11-07T19:05:15.697Z
  2. Updated

    2018-11-07T19:14:12.497Z