VYPR
Moderate severityNVD Advisory· Published Jun 3, 2025· Updated Jun 3, 2025

webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser

CVE-2025-30360

Description

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The Origin header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address Origin headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
webpack-dev-servernpm
< 5.2.15.2.1

Affected products

20

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.