GHSA-79CF-XCQC-C78W

Vulnerability from github – Published: 2026-05-18 13:31 – Updated: 2026-05-18 13:31
VLAI?
Summary
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
Details

Impact

When webpack-dev-server is running on a non-HTTPS origin (the default), cross-origin requests from malicious websites can load the dev server's JavaScript bundles via <script> tags. The fix introduced in v5.2.1 (CVE-2025-30359) relied on Sec-Fetch-Mode and Sec-Fetch-Site request headers to block these requests, but browsers only send these headers for potentially trustworthy origins. Over plain HTTP, the headers are absent and the check is bypassed.

An attacker who knows the dev server's host, port, and output path can exfiltrate all module source code by intercepting the webpack runtime's module registration.

This does not affect Chrome 142+ (and other Chromium-based browsers) due to local network access restrictions.

Patches

Patched in webpack-dev-server >= 5.2.4 by setting Cross-Origin-Resource-Policy: same-origin on responses.

Workarounds

Run the dev server with HTTPS enabled (--https or server.type: 'https' in config).

Resources

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.2.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "webpack-dev-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-6402"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T13:31:42Z",
    "nvd_published_at": "2026-05-12T09:16:55Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen webpack-dev-server is running on a non-HTTPS origin (the default), cross-origin requests from malicious websites can load the dev server\u0027s JavaScript bundles via `\u003cscript\u003e` tags. The fix introduced in v5.2.1 (CVE-2025-30359) relied on `Sec-Fetch-Mode` and `Sec-Fetch-Site` request headers to block these requests, but browsers only send these headers for [potentially trustworthy origins](https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy). Over plain HTTP, the headers are absent and the check is bypassed.\n\nAn attacker who knows the dev server\u0027s host, port, and output path can exfiltrate all module source code by intercepting the webpack runtime\u0027s module registration.\n\nThis does not affect Chrome 142+ (and other Chromium-based browsers) due to [local network access restrictions](https://developer.chrome.com/release-notes/142#local_network_access_restrictions).\n\n### Patches\n\nPatched in webpack-dev-server \u003e= 5.2.4 by setting `Cross-Origin-Resource-Policy: same-origin` on responses.\n\n### Workarounds\n\nRun the dev server with HTTPS enabled (`--https` or `server.type: \u0027https\u0027` in config).\n\n### Resources\n\n- [GHSA-4v9v-hfq4-rm2v](https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v) (CVE-2025-30359) - original vulnerability\n- [GHSA-9jgg-88mc-972h](https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h) (CVE-2025-30360) - prior bypass",
  "id": "GHSA-79cf-xcqc-c78w",
  "modified": "2026-05-18T13:31:42Z",
  "published": "2026-05-18T13:31:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78w"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6402"
    },
    {
      "type": "WEB",
      "url": "https://cna.openjsf.org/security-advisories.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/webpack/webpack-dev-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.