CVE-2025-30360

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127
https://github.com/webpack/webpack-dev-server/commit/5c9378bb01276357d7af208a0856ca2163db188e
https://github.com/webpack/webpack-dev-server/commit/72efaab83381a0e1c4914adf401cbd210b7de7eb
https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h

Configurations

No configuration.

History

04 Jun 2025, 14:54

Type	Values Removed	Values Added
Summary		(es) webpack-dev-server permite a los usuarios usar webpack con un servidor de desarrollo que proporciona recarga en tiempo real. Antes de la versión 5.2.1, el código fuente de los usuarios de webpack-dev-server podía ser robado al acceder a un sitio web malicioso con un navegador que no fuera Chromium. El encabezado "Origin" se verifica para evitar el secuestro de WebSockets entre sitios, reportado por CVE-2018-14732. Sin embargo, webpack-dev-server siempre permite los encabezados "Origin" de direcciones IP. Esto permite que los sitios web que se sirven en direcciones IP se conecten a WebSockets. Un atacante puede obtener el código fuente mediante un método similar al utilizado para explotar CVE-2018-14732. La versión 5.2.1 incluye un parche para este problema.

03 Jun 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-03 18:15

Updated : 2025-06-04 14:54

NVD link : CVE-2025-30360

Mitre link : CVE-2025-30360

CVE.ORG link : CVE-2025-30360

JSON object : View

Products Affected

No product.

CWE

CWE-346

Origin Validation Error

6.5 /10