logo

Database

Lack of data validation In webpack-dev-server

Description

Missing Origin Validation in webpack-dev-server Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Recommendation

For webpack-dev-server update to version 3.1.11 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2018-147322. NVD-2018-147323. OSV-2018-147324. GCVE-2018-14732

References

1. https://github.com/webpack/webpack-dev-server/issues/14452. https://github.com/webpack/webpack-dev-server/issues/16203. https://github.com/webpack/webpack-dev-server/commit/f18e5adf123221a1015be63e1ca2491ca45b8d104. https://github.com/webpack/webpack-dev-server/blob/master/CHANGELOG.md#3111-2018-12-215. https://www.npmjs.com/advisories/725

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.