Description

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.

INFO

Published Date :

2025-06-03T17:41:59.457Z

Last Modified :

2025-06-03T17:58:12.605Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-30360 vulnerability.

Vendors Products
Webpack.js
  • Webpack-dev-server
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-30360.

URL Resource
https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127 cve-icon cve-icon cve-icon
https://github.com/webpack/webpack-dev-server/commit/5c9378bb01276357d7af208a0856ca2163db188e cve-icon cve-icon cve-icon
https://github.com/webpack/webpack-dev-server/commit/72efaab83381a0e1c4914adf401cbd210b7de7eb cve-icon cve-icon cve-icon
https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-30360 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-30360 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact