Skip to main content

webpack-dev-server CVE-2026-14620

| EUVDEUVD-2026-41558 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-03 openjs
4.7
CVSS 3.1 · NVD
Share

Severity by source

Vendor (openjs) PRIMARY
MEDIUM
qualitative
NVD
4.7 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
vuln.today AI
4.7 MEDIUM

Browser-driven CSRF over network, no auth on dev server, scope crosses to local OS editor; only availability degraded via recompilation spam.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
4.7 MEDIUM
qualitative

Primary rating from Vendor (openjs).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Patch available
Jul 03, 2026 - 18:01 EUVD
Analysis Generated
Jul 03, 2026 - 17:31 vuln.today

DescriptionNVD

webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin with no interaction beyond the visit. An attacker can open an arbitrary existing local file in the developer's editor, including files outside the project root, and repeated requests can spawn editor processes and force recompilations that degrade the developer's machine. Patches: upgrade to webpack-dev-server 5.2.6. Workarounds: none.

AnalysisAI

Cross-site request forgery in webpack-dev-server 5.2.5 and earlier allows any website visited by a developer to silently invoke two unauthenticated state-changing endpoints - /webpack-dev-server/open-editor and /webpack-dev-server/invalidate - via simple browser-initiated GET requests that carry no CSRF protection. An attacker controlling a web page visited during an active dev session can open arbitrary local files in the developer's editor (including files outside the project root) and trigger repeated forced recompilations that degrade workstation performance. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure developer to attacker-controlled webpage
Delivery
Browser auto-issues cross-origin GET to localhost dev server
Exploit
Invoke /open-editor with traversal file path
Execution
OS spawns editor process opening target file
Persist
Spam /webpack-dev-server/invalidate
Impact
Force repeated bundle recompilations degrading workstation

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions on the developer's workstation: (1) webpack-dev-server 5.2.5 or earlier must be actively running and listening on a known or guessable port (commonly 8080, 3000, or similar defaults); (2) the developer must visit a web page controlled by or injected with attacker content - a single passive page load suffices, no click-through interaction is needed beyond navigation; (3) the browser must be able to reach the localhost dev server port, which is the default state for any browser on the same machine. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.7 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L correctly reflects that no authentication is required and the scope change (S:C) captures the boundary crossing from browser to local OS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer running webpack-dev-server 5.2.5 on localhost port 8080 clicks a phishing link in a Slack message or visits a page with a malicious advertisement. The page's JavaScript fires a GET request to `http://localhost:8080/webpack-dev-server/open-editor?fileName=../../.ssh/id_rsa`, which causes the developer's configured editor to open the SSH private key file with no visible warning, while a concurrent loop of requests to `/webpack-dev-server/invalidate` forces continuous recompilation cycles that slow the workstation. …
Remediation Upgrade to webpack-dev-server 5.2.6, which is the vendor-released patch confirmed by the OpenJS Foundation CNA and the GitHub Security Advisory GHSA-f5vj-f2hx-8m93. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 12 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-14620 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy