Описание
Missing Origin Validation in browserify-hmr
Versions of browserify-hmr prior to 0.4.0 are missing origin validation on the websocket server.
This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.
Recommendation
Upgrade to version 0.4.0 or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2018-14730
- https://github.com/AgentME/browserify-hmr/issues/41
- https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages
- https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages)
- https://www.npmjs.com/advisories/726
Пакеты
Наименование
browserify-hmr
npm
Затронутые версииВерсия исправления
< 0.4.0
0.4.0
Связанные уязвимости
CVSS3: 7.5
nvd
больше 7 лет назад
An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/ connection from any origin.