CVE-2025-30360 (Medium) detected in webpack-dev-server-4.11.0.tgz #236
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2025-30360 - Medium Severity Vulnerability
Serves a webpack app. Updates the browser on changes.
Library home page: https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-4.11.0.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/package.json
Dependency Hierarchy:
Found in base branch: master
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The "Origin" header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address "Origin" headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.
Publish Date: 2025-06-03
URL: CVE-2025-30360
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-9jgg-88mc-972h
Release Date: 2025-06-03
Fix Resolution: https://github.com/webpack/webpack-dev-server.git - v5.2.1
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: