CVE-2025-30360

June 4, 2025, 2:54 p.m.

6.5
Medium

Description

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.

Product(s) Impacted

Vendor Product Versions
Webpack
  • Webpack-dev-server
  • <5.2.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-346
Origin Validation Error
The product does not properly verify that the source of data or communication is valid.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a webpack webpack-dev-server <5.2.1 / / / / / / /

References

https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127
https://github.com/webpack/webpack-dev-server/commit/5c9378bb01276357d7af208a0856ca2163db188e
https://github.com/webpack/webpack-dev-server/commit/72efaab83381a0e1c4914adf401cbd210b7de7eb
https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h

Tags

security-advisories@github.com
CWE-346
2025-06-03
CVE-2025-30360

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

    View Vector String

Timeline

Published: June 3, 2025, 6:15 p.m.
Last Modified: June 4, 2025, 2:54 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.