CVE-2026-14631
- EPSS 0.31%
- Veröffentlicht 03.07.2026 17:23:41
- Zuletzt bearbeitet 07.07.2026 15:08:59
webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malformed Origin ...
CVE-2026-14620
- EPSS 0.12%
- Veröffentlicht 03.07.2026 17:00:00
- Zuletzt bearbeitet 07.07.2026 15:12:43
webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request origi...
CVE-2026-9595
- EPSS 0.16%
- Veröffentlicht 15.06.2026 15:00:21
- Zuletzt bearbeitet 16.06.2026 17:24:37
Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the...
CVE-2026-6402
- EPSS 0.22%
- Veröffentlicht 12.05.2026 07:45:21
- Zuletzt bearbeitet 18.05.2026 15:23:03
webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site requ...
CVE-2025-30360
- EPSS 0.29%
- Veröffentlicht 03.06.2025 17:41:59
- Zuletzt bearbeitet 21.11.2025 18:26:18
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. T...
CVE-2025-30359
- EPSS 0.43%
- Veröffentlicht 03.06.2025 17:39:16
- Zuletzt bearbeitet 03.10.2025 01:12:23
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic ...
CVE-2018-14732
- EPSS 2.53%
- Veröffentlicht 21.09.2018 17:29:05
- Zuletzt bearbeitet 21.11.2024 03:49:41
An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone ca...