CVE-2025-30360 MEDIUM

CVE-2025-30360: webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser

Vendor Webpack
Product webpack-dev-server
Weakness CWE-346 · Origin validation
Published June 3, 2025
Last update June 3, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.

Key dates

02Disclosure timeline

June 3, 2025 CVE published
June 3, 2025 Record updated