Update dependency webpack-dev-server to v5 [SECURITY]#425
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
August 10, 2025 13:50
a936e01 to
9deb83e
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
August 19, 2025 14:02
9deb83e to
84158ec
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
August 31, 2025 13:23
84158ec to
7de1164
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
September 25, 2025 13:47
7de1164 to
673e694
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
October 21, 2025 10:46
673e694 to
5f24097
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
November 10, 2025 15:01
5f24097 to
a07f5ec
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
November 18, 2025 20:10
a07f5ec to
e232b91
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
December 3, 2025 19:59
e232b91 to
db7cd7b
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
December 31, 2025 17:49
db7cd7b to
5a61b85
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
January 8, 2026 19:16
5a61b85 to
6413ee4
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
January 19, 2026 18:14
6413ee4 to
d7d3622
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
February 2, 2026 14:42
d7d3622 to
e0d1592
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
2 times, most recently
from
February 17, 2026 16:43
66cdd8b to
46168d6
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
March 5, 2026 17:40
46168d6 to
b391c81
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
2 times, most recently
from
March 30, 2026 17:58
b391c81 to
2ce57b0
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
3 times, most recently
from
April 29, 2026 13:39
24f9a10 to
ba63567
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
2 times, most recently
from
May 18, 2026 19:42
8271e82 to
285634b
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
May 19, 2026 15:02
285634b to
96917b8
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
2 times, most recently
from
June 1, 2026 22:38
090dc9e to
a1bc46f
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
June 11, 2026 15:57
a1bc46f to
4331c5e
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
June 20, 2026 21:57
4331c5e to
280e332
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
July 12, 2026 12:44
280e332 to
46ef70f
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
July 16, 2026 17:14
46ef70f to
7a86ca7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.11.3→5.2.5webpack-dev-server users' source code may be stolen when they access a malicious web site
CVE-2025-30359 / GHSA-4v9v-hfq4-rm2v
More information
Details
Summary
Source code may be stolen when you access a malicious web site.
Details
Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject
<script src="http://localhost:8080/main.js">in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables.By using
Function::toStringagainst the values in__webpack_modules__, the attacker can get the source code.PoC
npm inpx webpack-dev-serverhttps://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/The script in the POC site is:
This script uses the function generated by
renderRequire.Especially, it uses the fact that
Array::forEachis called for__webpack_require__.iandexecOptionscontains__webpack_require__.It uses prototype pollution against
Array::forEachto extract__webpack_require__reference.Impact
This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.
Old content
Summary
Source code may be stolen when you use
output.iife: falseand access a malicious web site.Details
When
output.iife: falseis set, some global variables for the webpack runtime are declared on thewindowobject (e.g.__webpack_modules__).Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject
<script src="http://localhost:8080/main.js">in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on thewindowobject.By using
Function::toStringagainst the values in__webpack_modules__, the attacker can get the source code.I pointed out
output.iife: false, but if there are other options that makes the webpack runtime variables to be declared on thewindowobject, the same will apply for those cases.PoC
npm inpx webpack-dev-serverhttps://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/src/index.jsand other scripts loaded.The script in the POC site is:
Impact
This vulnerability can result in the source code to be stolen for users that has
output.iife: falseoption set and uses a predictable port and output path for the entrypoint script.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
CVE-2025-30360 / GHSA-9jgg-88mc-972h
More information
Details
Summary
Source code may be stolen when you access a malicious web site with non-Chromium based browser.
Details
The
Originheader is checked to prevent Cross-site WebSocket hijacking from happening which was reported by CVE-2018-14732.But webpack-dev-server always allows IP address
Originheaders.https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127
This allows websites that are served on IP addresses to connect WebSocket.
By using the same method described in the article linked from CVE-2018-14732, the attacker get the source code.
related commit: webpack/webpack-dev-server@72efaab (note that
checkHostfunction was only used for Host header to prevent DNS rebinding attacks so this change itself is fine.This vulnerability does not affect Chrome 94+ (and other Chromium based browsers) users due to the non-HTTPS private access blocking feature.
PoC
npm inpx webpack-dev-serverhttp://{ipaddress}/?target=http://localhost:8080&file=mainwith a non-Chromium browser (I used Firefox 134.0.1)src/index.jsin the extracted directorysrc/index.jsThe script in the POC site is:
Impact
This vulnerability can result in the source code to be stolen for users that uses a predictable port and uses a non-Chromium based browser.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
CVE-2026-6402 / GHSA-79cf-xcqc-c78w
More information
Details
Impact
When webpack-dev-server is running on a non-HTTPS origin (the default), cross-origin requests from malicious websites can load the dev server's JavaScript bundles via
<script>tags. The fix introduced in v5.2.1 (CVE-2025-30359) relied onSec-Fetch-ModeandSec-Fetch-Siterequest headers to block these requests, but browsers only send these headers for potentially trustworthy origins. Over plain HTTP, the headers are absent and the check is bypassed.An attacker who knows the dev server's host, port, and output path can exfiltrate all module source code by intercepting the webpack runtime's module registration.
This does not affect Chrome 142+ (and other Chromium-based browsers) due to local network access restrictions.
Patches
Patched in webpack-dev-server >= 5.2.4 by setting
Cross-Origin-Resource-Policy: same-originon responses.Workarounds
Run the dev server with HTTPS enabled (
--httpsorserver.type: 'https'in config).Resources
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
CVE-2026-9595 / GHSA-mx8g-39q3-5c79
More information
Details
Impact
When a user-configured proxy on
webpack-dev-serverhas a broad context (e.g./) andws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies andOriginheader to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).Patches
Fixed in
webpack-dev-server5.2.5.Workarounds
Scope user-defined proxy
contextto specific paths instead of/, or omitws: truefrom the proxy entry when WebSocket forwarding is not required.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
webpack/webpack-dev-server (webpack-dev-server)
v5.2.5Compare Source
Patch Changes
All notable changes to this project will be documented in this file. See standard-version for commit guidelines.
5.2.4 (2026-05-11)
Bug Fixes
5.2.3 (2026-01-12)
Bug Fixes
causeforerrorObject(#5518) (37b033d)5.2.2 (2025-06-03)
Bug Fixes
X_TEST(#5451) (64a6124)allowedHostsoption for cross-origin header check (#5510) (03d1214)v5.2.4Compare Source
v5.2.3Compare Source
v5.2.2Compare Source
v5.2.1Compare Source
Security
Access-Control-Allow-OriginheaderOriginheader are not allowed to connect to WebSocket server unless configured byallowedHostsor it different from theHostheaderThe above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.
Bug Fixes
v5.2.0Compare Source
Features
getClientEntryandgetClientHotEntrymethods to get clients entries (dc642a8)Bug Fixes
v5.1.0Compare Source
Features
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148)serveroption to beFunction(#5275) (02a1c6d)connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)Bug Fixes
platformproperty to determinate the target (#5269) (c3b532c)rimrafwithrm(#5162) (1a1561f)devServer: false(#5272) (8b341cb)5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes
require-trusted-types-for(#5046) (e115436)v5.0.4Compare Source
Security
Access-Control-Allow-OriginheaderOriginheader are not allowed to connect to WebSocket server unless configured byallowedHostsor it different from theHostheaderThe above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.
Bug Fixes
v5.0.3Compare Source
Features
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148)serveroption to beFunction(#5275) (02a1c6d)connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)Bug Fixes
platformproperty to determinate the target (#5269) (c3b532c)rimrafwithrm(#5162) (1a1561f)devServer: false(#5272) (8b341cb)5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes
require-trusted-types-for(#5046) (e115436)v5.0.2Compare Source
Features
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148)serveroption to beFunction(#5275) (02a1c6d)connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)Bug Fixes
platformproperty to determinate the target (#5269) (c3b532c)rimrafwithrm(#5162) (1a1561f)devServer: false(#5272) (8b341cb)5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes
require-trusted-types-for(#5046) (e115436)v5.0.1Compare Source
Features
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148)serveroption to beFunction(#5275) (02a1c6d)connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)Bug Fixes
platformproperty to determinate the target (#5269) (c3b532c)rimrafwithrm(#5162) (1a1561f)devServer: false(#5272) (8b341cb)5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes
require-trusted-types-for(#5046) (e115436)v5.0.0Compare Source
Features
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148)serveroption to beFunction(#5275) (02a1c6d)connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)Bug Fixes
platformproperty to determinate the target (#5269) (c3b532c)rimrafwithrm(#5162) (1a1561f)devServer: false(#5272) (8b341cb)5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes
require-trusted-types-for(#5046) (e115436)v4.15.2Compare Source
4.15.2 (2024-03-20)
Bug Fixes
v4.15.1Compare Source
Migration Guide and Changes.
4.15.1 (2023-06-09)
Bug Fixes
::withlocalhostbefore openBrowser() (#4856) (874c44b)@types/ws(#4899) (34bcec2)v4.15.0Compare Source
Migration Guide and Changes.
4.15.1 (2023-06-09)
Bug Fixes
::withlocalhostbefore openBrowser() (#4856) (874c44b)@types/ws(#4899) (34bcec2)v4.14.0Compare Source
Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
4.13.1 (2023-03-18)
Bug Fixes
v4.13.3Compare Source
Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
4.13.1 (2023-03-18)
Bug Fixes
v4.13.2Compare Source
Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
4.13.1 (2023-03-18)
Bug Fixes
v4.13.1Compare Source
Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
4.13.1 (2023-03-18)
Bug Fixes
v4.13.0Compare Source
Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
4.13.1 (2023-03-18)
Bug Fixes
v4.12.0Compare Source
Features
sockjs_urloption (onlysockjs) using thewebSocketServer.options.sockjsUrloption (#4586) (69a2fba)Bug Fixes
experiments.buildHttp(#4585) (5b846cb)Configuration
📅 Schedule: (in timezone Asia/Tokyo)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.