Missing Origin Validation in webpack-dev-server
High severity
GitHub Reviewed
Published
Jan 4, 2019
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Description
Published to the GitHub Advisory Database
Jan 4, 2019
Reviewed
Jun 16, 2020
Last updated
Jan 9, 2023
Credits
-
NikoRaisanen Analyst
Versions of
webpack-dev-serverbefore 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.Recommendation
For
webpack-dev-serverupdate to version 3.1.11 or later.References