Webpack Dev Server
CVE-2018-14732
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 21 npm packages depend on webpack-dev-server (19 direct, 2 indirect)
Ecosystem-wide dependent count for version 3.1.11.
DescriptionNVD
An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.
AnalysisAI
An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-20. An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin. Affected products include: Webpack.Js Webpack-Dev-Server. Version information: before 3.1.6..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Webpack Dev Server
View allwebpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version
A remote code execution vulnerability in webpack-dev-server (CVSS 5.3) that allows users. Risk factors: public PoC avail
webpack-dev-server 5.2.5 and earlier crash the entire Node.js host process when an unauthenticated remote peer sends eit
Cross-site request forgery in webpack-dev-server 5.2.5 and earlier allows any website visited by a developer to silently
webpack-dev-server's WebSocket upgrade handler, when a proxy entry is configured with a broad path context (/) and ws: t
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today