CVE-2025-30360

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127
https://github.com/webpack/webpack-dev-server/commit/5c9378bb01276357d7af208a0856ca2163db188e
https://github.com/webpack/webpack-dev-server/commit/72efaab83381a0e1c4914adf401cbd210b7de7eb
https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h

Configurations

No configuration.

History

04 Jun 2025, 14:54

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-03 18:15

Updated : 2025-06-04 14:54

NVD link : CVE-2025-30360

Mitre link : CVE-2025-30360

CVE.ORG link : CVE-2025-30360

JSON object : View

Products Affected

No product.

CWE

CWE-346

Origin Validation Error

{"id": "CVE-2025-30360", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-06-03T18:15:25.410", "references": [{"url": "https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127", "source": "security-advisories@github.com"}, {"url": "https://github.com/webpack/webpack-dev-server/commit/5c9378bb01276357d7af208a0856ca2163db188e", "source": "security-advisories@github.com"}, {"url": "https://github.com/webpack/webpack-dev-server/commit/72efaab83381a0e1c4914adf401cbd210b7de7eb", "source": "security-advisories@github.com"}, {"url": "https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-346"}]}], "descriptions": [{"lang": "en", "value": "webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue."}, {"lang": "es", "value": "webpack-dev-server permite a los usuarios usar webpack con un servidor de desarrollo que proporciona recarga en tiempo real. Antes de la versi\u00f3n 5.2.1, el c\u00f3digo fuente de los usuarios de webpack-dev-server pod\u00eda ser robado al acceder a un sitio web malicioso con un navegador que no fuera Chromium. El encabezado \"Origin\" se verifica para evitar el secuestro de WebSockets entre sitios, reportado por CVE-2018-14732. Sin embargo, webpack-dev-server siempre permite los encabezados \"Origin\" de direcciones IP. Esto permite que los sitios web que se sirven en direcciones IP se conecten a WebSockets. Un atacante puede obtener el c\u00f3digo fuente mediante un m\u00e9todo similar al utilizado para explotar CVE-2018-14732. La versi\u00f3n 5.2.1 incluye un parche para este problema."}], "lastModified": "2025-06-04T14:54:33.783", "sourceIdentifier": "security-advisories@github.com"}