webpack-dev-server 3.0.0-alpha1 vulnerabilities

Known vulnerabilities in the webpack-dev-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Exposed Dangerous Method or Function webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via the `__webpack_modules__` object. An attacker can extract sensitive source code by injecting a malicious script into their site that utilizes `Function::toString` to access and serialize the functions stored within `__webpack_modules__`. Note: This is only exploitable if the attacker knows both the specific port and the output entrypoint script path. How to fix Exposed Dangerous Method or Function? Upgrade `webpack-dev-server` to version 5.2.1 or higher.	<5.2.1
H Origin Validation Error webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Origin Validation Error via the`Origin` header, which allows IP address origins to connect to WebSocket in the `checkHeader` function. An attacker can obtain sensitive data when accessing a malicious website with a non-Chromium-based browser by exploiting the WebSocket connection. Note: Chrome 94+ (and other Chromium-based browsers) users are unaffected by this vulnerability due to the non-HTTPS private access blocking feature. How to fix Origin Validation Error? Upgrade `webpack-dev-server` to version 5.2.1 or higher.	<5.2.1
H Information Exposure webpack-dev-server Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Information Exposure. The origin of requests is not checked by the WebSocket server, which is used for HMR. A malicious user could receive the HMR message sent by the WebSocket server via a `ws://127.0.0.1:8080/` connection from any origin. How to fix Information Exposure? Upgrade webpack-dev-server to version 3.1.11 or higher.	<3.1.11

Vulnerability

Vulnerable Version

Exposed Dangerous Method or Function

webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only.

Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via the __webpack_modules__ object. An attacker can extract sensitive source code by injecting a malicious script into their site that utilizes Function::toString to access and serialize the functions stored within __webpack_modules__.

Note: This is only exploitable if the attacker knows both the specific port and the output entrypoint script path.

How to fix Exposed Dangerous Method or Function?

Upgrade webpack-dev-server to version 5.2.1 or higher.

<5.2.1

Origin Validation Error

webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only.

Affected versions of this package are vulnerable to Origin Validation Error via theOrigin header, which allows IP address origins to connect to WebSocket in the checkHeader function. An attacker can obtain sensitive data when accessing a malicious website with a non-Chromium-based browser by exploiting the WebSocket connection.

Note: Chrome 94+ (and other Chromium-based browsers) users are unaffected by this vulnerability due to the non-HTTPS private access blocking feature.

How to fix Origin Validation Error?

Upgrade webpack-dev-server to version 5.2.1 or higher.

<5.2.1

Information Exposure

webpack-dev-server Uses webpack with a development server that provides live reloading. It should be used for development only.

Affected versions of this package are vulnerable to Information Exposure. The origin of requests is not checked by the WebSocket server, which is used for HMR. A malicious user could receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.

How to fix Information Exposure?

Upgrade webpack-dev-server to version 3.1.11 or higher.

<3.1.11

webpack-dev-server@3.0.0-alpha1 vulnerabilities

Serves a webpack app. Updates the browser on changes.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?