What is the CVSS score of CVE-2025-30360?

CVE-2025-30360 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Webpack Dev Server are affected by CVE-2025-30360?

Organizations using webpack-dev-server should be aware of notable risk from CVE-2025-30360 rated CVSS 6.5. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2025-30360?

Yes, a public proof-of-concept exploit is available for CVE-2025-30360. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-30360?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Webpack Dev Server CVE-2025-30360

EUVD-2025-16764 MEDIUM

Origin Validation Error (CWE-346)

2025-06-03 security-advisories@github.com

GHSA-9jgg-88mc-972h

Information Disclosure Google Webpack Dev Server Chrome Red Hat

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Red Hat

6.5 MEDIUM

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 17:04 euvd

EUVD-2025-16764

Analysis Generated

Mar 14, 2026 - 17:04 vuln.today

Patch released

Mar 14, 2026 - 17:04 nvd

Patch available

PoC Detected

Nov 21, 2025 - 18:26 vuln.today

Public exploit code

CVE Published

Jun 03, 2025 - 18:15 nvd

MEDIUM 6.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

33 npm packages depend on webpack-dev-server (14 direct, 21 indirect)

Ecosystem-wide dependent count for version 5.2.1.

DescriptionGitHub Advisory

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The Origin header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address Origin headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.

Analysis

Technical ContextAI

This vulnerability is classified as Origin Validation Error (CWE-346).

RemediationAI

A vendor patch is available. Apply it as soon as possible and verify the fix.

More from same product – last 7 days

CVE-2026-9595 MEDIUM This Month

4.3 Jun 15

webpack-dev-server's WebSocket upgrade handler, when a proxy entry is configured with a broad path context (/) and ws: t

Vendor StatusVendor

CVE-2025-30360 vulnerability details – vuln.today

Back

Webpack Dev Server CVE-2025-30360

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

Analysis

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code