CVE-2025-30360 - Medium Severity Vulnerability
Vulnerable Library - webpack-dev-server-4.15.2.tgz
Library home page: https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-4.15.2.tgz
Path to dependency file: /src/Local/docs/package.json
Path to vulnerable library: /src/Local/docs/node_modules/webpack-dev-server/package.json,/src/blockly10/node_modules/webpack-dev-server/package.json,/src/react_new_app/docs/node_modules/webpack-dev-server/package.json,/src/react_new_app/my-app/node_modules/webpack-dev-server/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- ❌ webpack-dev-server-4.15.2.tgz (Vulnerable Library)
Found in HEAD commit: 642a29f4be078e5094d502da0a4f686426e9309b
Found in base branch: main
Vulnerability Details
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The "Origin" header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address "Origin" headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.
Publish Date: 2025-06-03
URL: CVE-2025-30360
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9jgg-88mc-972h
Release Date: 2025-06-03
Fix Resolution: webpack-dev-server - 5.2.1,https://github.com/webpack/webpack-dev-server.git - v5.2.1
Step up your Open Source Security Game with Mend here
CVE-2025-30360 - Medium Severity Vulnerability
Library home page: https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-4.15.2.tgz
Path to dependency file: /src/Local/docs/package.json
Path to vulnerable library: /src/Local/docs/node_modules/webpack-dev-server/package.json,/src/blockly10/node_modules/webpack-dev-server/package.json,/src/react_new_app/docs/node_modules/webpack-dev-server/package.json,/src/react_new_app/my-app/node_modules/webpack-dev-server/package.json
Dependency Hierarchy:
Found in HEAD commit: 642a29f4be078e5094d502da0a4f686426e9309b
Found in base branch: main
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The "Origin" header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address "Origin" headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.
Publish Date: 2025-06-03
URL: CVE-2025-30360
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-9jgg-88mc-972h
Release Date: 2025-06-03
Fix Resolution: webpack-dev-server - 5.2.1,https://github.com/webpack/webpack-dev-server.git - v5.2.1
Step up your Open Source Security Game with Mend here