Skip to main content

webpack-dev-server CVE-2026-6402

| EUVDEUVD-2026-29404 MEDIUM
Exposed Dangerous Method or Function (CWE-749)
2026-05-12 openjs GHSA-79cf-xcqc-c78w
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
May 12, 2026 - 09:01 EUVD
Analysis Generated
May 12, 2026 - 08:45 vuln.today
CVE Published
May 12, 2026 - 07:45 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 14 npm packages depend on webpack-dev-server (9 direct, 5 indirect)

Ecosystem-wide dependent count for version 5.2.4.

DescriptionCVE.org

webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins, allowing a malicious site to load the bundled source as a script and read it across origins. Impact: an attacker controlling a website visited by a developer running webpack-dev-server can recover the application source code when the dev server runs over HTTP at a guessable host and port. Chromium based browsers from Chrome 142 onward are not affected due to local network access restrictions. Upgrade to webpack-dev-server 5.2.4 or later, which sets Cross-Origin-Resource-Policy: same-origin on responses.

AnalysisAI

Cross-origin source code exposure in webpack-dev-server up to 5.2.3 allows attackers controlling a malicious website to steal bundled application source code when a developer runs the dev server over non-trustworthy HTTP origins. The vulnerability exploits the omission of Sec-Fetch-Mode and Sec-Fetch-Site headers on non-HTTPS connections, enabling script injection and cross-origin code exfiltration. Chromium-based browsers Chrome 142+ are exempt due to local network access restrictions. CVSS 5.3 (AC:H due to user requirement to visit attacker site; High confidentiality impact). Fix: upgrade to webpack-dev-server 5.2.4 or later.

Technical ContextAI

webpack-dev-server is a development server that bundles and serves web application code during development. The vulnerability stems from a flawed cross-origin protection mechanism (CWE-749: Improperly Controlled Interaction with Externally-Controlled Resources) that relied on browser-provided Sec-Fetch-Mode and Sec-Fetch-Site headers to prevent unauthorized script loading. These headers are only sent for trustworthy origins (HTTPS with valid certificates), not for plain HTTP. An attacker's website can reference the dev server's bundled JavaScript directly using a <script src="http://target-dev-server:port/bundle.js"></script> tag. The browser loads it due to the permissive Same-Origin Policy, and malicious JavaScript can extract and transmit the source via the browser's network stack or DOM inspection. The fix implements the Cross-Origin-Resource-Policy: same-origin header, which explicitly forbids cross-origin script loads regardless of origin trustworthiness.

RemediationAI

Upgrade webpack-dev-server to version 5.2.4 or later immediately; this version sets the Cross-Origin-Resource-Policy: same-origin header on all responses, preventing cross-origin script loads. To upgrade, run 'npm update webpack-dev-server@^5.2.4' or 'npm install webpack-dev-server@5.2.4' in your project. Verify the upgrade by checking package.json and package-lock.json. For teams unable to upgrade immediately, implement compensating controls: (1) Run webpack-dev-server exclusively on localhost (127.0.0.1) and ensure it binds to the loopback interface only (configure host: 'localhost' or host: '127.0.0.1' in webpack.config.js); this prevents remote access but still allows local CSRF-style attacks if a developer visits a malicious site on the same machine. (2) Use HTTPS for the dev server (require https: true in webpack.config.js with a self-signed certificate); this enables Sec-Fetch-* headers even during development and partially mitigates the issue, though developers must accept browser warnings. (3) Restrict network access to the dev server port (e.g., iptables, firewall rules) to trusted IPs only. (4) Educate developers to avoid visiting untrusted websites during development sessions. These workarounds have trade-offs: localhost-only binding may impede remote development or CI/CD scenarios; HTTPS adds friction to dev workflows; firewall rules require infrastructure coordination. None are as robust as the patch. Patch application is strongly preferred.

More in Chrome

View all
CVE-2015-5122 CRITICAL POC
9.8 Jul 14

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player

CVE-2016-5198 HIGH POC
8.8 Jan 19

V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac

CVE-2017-5070 HIGH POC
8.8 Oct 27

Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a

CVE-2016-1646 HIGH POC
8.8 Mar 29

The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do

CVE-2013-0758 CRITICAL POC
9.3 Jan 13

Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb

CVE-2017-5030 HIGH POC
8.8 Apr 24

Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.

CVE-2012-3993 CRITICAL POC
9.3 Oct 10

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi

CVE-2017-3823 HIGH POC
8.8 Feb 01

An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta

CVE-2014-8636 HIGH POC
7.5 Jan 14

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with

CVE-2013-0757 CRITICAL POC
9.3 Jan 13

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi

CVE-2014-1510 CRITICAL POC
9.8 Mar 19

The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se

CVE-2015-5123 CRITICAL
9.8 Jul 14

Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-6402 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy