HIGH 7.5
GHSA-cf66-xwfp-gvc4
Missing Origin Validation in webpack-dev-server
Details
Versions of `webpack-dev-server` before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.
## Recommendation For `webpack-dev-server` update to version 3.1.11 or later.
Are you affected?
Enter the version of the package you're using.
Affected packages
npm / webpack-dev-server
Introduced in:
0 Fixed in: 3.1.11 Fix
npm install webpack-dev-server@3.1.11 References
- https://nvd.nist.gov/vuln/detail/CVE-2018-14732 [ADVISORY]
- https://github.com/webpack/webpack-dev-server/issues/1445 [WEB]
- https://github.com/webpack/webpack-dev-server/issues/1620 [WEB]
- https://github.com/webpack/webpack-dev-server/commit/f18e5adf123221a1015be63e1ca2491ca45b8d10 [WEB]
- https://github.com/webpack/webpack-dev-server [PACKAGE]
- https://github.com/webpack/webpack-dev-server/blob/master/CHANGELOG.md#3111-2018-12-21 [WEB]
- https://www.npmjs.com/advisories/725 [WEB]