CVE-2026-6402
Description
webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins, allowing a malicious site to load the bundled source as a script and read it across origins. Impact: an attacker controlling a website visited by a developer running webpack-dev-server can recover the application source code when the dev server runs over HTTP at a guessable host and port. Chromium based browsers from Chrome 142 onward are not affected due to local network access restrictions. Upgrade to webpack-dev-server 5.2.4 or later, which sets Cross-Origin-Resource-Policy: same-origin on responses.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
webpack-dev-server ≤5.2.3 exposes source code cross-origin when served over HTTP due to insufficient fetch header check; patch sets CORP header.
## Vulnerability webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins [1]. This allows a malicious site to include the bundled script via a <script> tag and extract module source code using prototype pollution and Function.prototype.toString [3].
Exploitation
An attacker controlling a website visited by a developer running webpack-dev-server can recover the application source code. The attack requires the dev server to be served over HTTP at a guessable host and port, such as localhost:8080 [1]. The PoC demonstrates injecting a script tag and using prototype pollution to access the __webpack_modules__ object [3]. Additionally, on non-Chromium browsers, IP address origins are always allowed, enabling WebSocket-based attacks similar to CVE-2018-14732 [4].
Impact
Successful exploitation allows an attacker to read the complete bundled application source code, including any hardcoded secrets, business logic, or proprietary algorithms. This could lead to further attacks such as reverse engineering, intellectual property theft, or credential reuse [1][3][4].
Mitigation
Users should upgrade to webpack-dev-server 5.2.4 or later, which sets the Cross-Origin-Resource-Policy: same-origin header on responses to prevent cross-origin reads [1]. Chromium-based browsers from Chrome 142 onward are not affected due to local network access restrictions [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=5.2.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- cna.openjsf.org/security-advisories.htmlnvdVendor Advisory
- github.com/advisories/GHSA-79cf-xcqc-c78wghsaADVISORY
- github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78wnvdMitigationVendor Advisory
- github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2vghsa
- github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972hghsa
- nvd.nist.gov/vuln/detail/CVE-2026-6402ghsa
News mentions
0No linked articles in our index yet.