CVE-2018-14730
Description
An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/ connection from any origin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing origin check in Browserify-HMR WebSocket server allows attackers to intercept hot module replacement messages and steal source code.
Vulnerability
Browserify-HMR, a Hot Module Replacement plugin for Browserify, includes a WebSocket server on ws://127.0.0.1:3123/ that does not validate the Origin header of incoming connections [1][2]. This allows any website or attacker to establish a WebSocket connection to the server. The issue affects Browserify-HMR versions prior to any fix released after the disclosure.
Exploitation
An attacker with network access to the developer's machine (e.g., by tricking the developer into visiting a malicious webpage) can connect to the WebSocket server at ws://127.0.0.1:3123/ from any origin. The server sends HMR messages containing updated source code to all connected clients, and the attacker passively receives them without any additional interaction.
Impact
Successful exploitation results in unauthorized disclosure of the developer's source code as it is modified in real-time. The attacker gains access to proprietary or sensitive code, leading to information disclosure. No write access or remote code execution is achieved.
Mitigation
As of the available references, no patched version has been announced [1][2]. Users should restrict access to the WebSocket server by ensuring the development environment is not exposed to untrusted networks, or implement a reverse proxy that validates the Origin header. Alternatively, developers can disable Hot Module Replacement on untrusted networks.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
browserify-hmrnpm | < 0.4.0 | 0.4.0 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-77q4-m83q-w76vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-14730ghsaADVISORY
- blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messagesghsax_refsource_MISCWEB
- blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages)ghsaWEB
- github.com/AgentME/browserify-hmr/issues/41ghsax_refsource_MISCWEB
- www.npmjs.com/advisories/726ghsaWEB
News mentions
0No linked articles in our index yet.