6.5
CVE-2026-6402
- EPSS 0.22%
- Veröffentlicht 12.05.2026 07:45:21
- Zuletzt bearbeitet 18.05.2026 15:23:03
- Quelle ce714d77-add3-4f53-aff5-83d477
- CVE-Watchlists
- Unerledigt
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins, allowing a malicious site to load the bundled source as a script and read it across origins. Impact: an attacker controlling a website visited by a developer running webpack-dev-server can recover the application source code when the dev server runs over HTTP at a guessable host and port. Chromium based browsers from Chrome 142 onward are not affected due to local network access restrictions. Upgrade to webpack-dev-server 5.2.4 or later, which sets Cross-Origin-Resource-Policy: same-origin on responses.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Webpack.Js ≫ Webpack-dev-server Version < 5.2.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.22% | 0.118 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
|
| ce714d77-add3-4f53-aff5-83d477b104bb | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
|
CWE-749 Exposed Dangerous Method or Function
The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
https://cna.openjsf.org/security-advisories.html
https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78w