CVE-2025-30360
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.
Reserved 2025-03-21 | Published 2025-06-03 | Updated 2025-06-03 | Assigner GitHub_MCWE-346: Origin Validation Error
github.com/...server/security/advisories/GHSA-9jgg-88mc-972h
github.com/...ommit/5c9378bb01276357d7af208a0856ca2163db188e
github.com/...ommit/72efaab83381a0e1c4914adf401cbd210b7de7eb
github.com/...0ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js
Support options
