Webpack Dev Server
Monthly
webpack-dev-server's WebSocket upgrade handler, when a proxy entry is configured with a broad path context (/) and ws: true, incorrectly forwards the dev server's own HMR WebSocket upgrade requests to the configured proxy backend. This unintentionally delivers browser cookies and the Origin header to the proxy target, bypasses the dev server's built-in Host/Origin validation, and corrupts the HMR channel by routing both HMR and proxy traffic over the same socket. No public exploit identified at time of analysis, though the affected configuration pattern is common in development setups; a vendor-released patch is available in version 5.2.5.
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.
A remote code execution vulnerability in webpack-dev-server (CVSS 5.3) that allows users. Risk factors: public PoC available. Vendor patch is available.
webpack-dev-server's WebSocket upgrade handler, when a proxy entry is configured with a broad path context (/) and ws: true, incorrectly forwards the dev server's own HMR WebSocket upgrade requests to the configured proxy backend. This unintentionally delivers browser cookies and the Origin header to the proxy target, bypasses the dev server's built-in Host/Origin validation, and corrupts the HMR channel by routing both HMR and proxy traffic over the same socket. No public exploit identified at time of analysis, though the affected configuration pattern is common in development setups; a vendor-released patch is available in version 5.2.5.
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.
A remote code execution vulnerability in webpack-dev-server (CVSS 5.3) that allows users. Risk factors: public PoC available. Vendor patch is available.