Описание
Missing Origin Validation in webpack-dev-server
Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.
Recommendation
For webpack-dev-server update to version 3.1.11 or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2018-14732
- https://github.com/webpack/webpack-dev-server/issues/1445
- https://github.com/webpack/webpack-dev-server/issues/1620
- https://github.com/webpack/webpack-dev-server/commit/f18e5adf123221a1015be63e1ca2491ca45b8d10
- https://github.com/webpack/webpack-dev-server/blob/master/CHANGELOG.md#3111-2018-12-21
- https://www.npmjs.com/advisories/725
Пакеты
webpack-dev-server
< 3.1.11
3.1.11
Связанные уязвимости
An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.