Bug 2370070 (CVE-2025-30360)

Summary: CVE-2025-30360 webpack-dev-server: webpack-dev-server information exposure
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, adkhan, anpicker, bdettelb, bparees, caswilli, cmah, cmiranda, crizzo, david.sastre, dbosanac, dhanak, doconnor, dranck, drosa, dsimansk, eaguilar, ebaron, eric.wittmann, ggrzybek, gmalinko, gryan, gzaronik, haoli, hasun, hkataria, ibek, jajackso, janstey, jcammara, jchui, jfula, jhe, jhuff, jkoehler, jmitchel, jneedle, jolong, jowilson, jreimann, jrokos, jwendell, jweng, jwong, kaycoth, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lchilton, lphiri, mabashia, matzew, mdessi, mnovotny, mrizzi, mwringe, nboldt, nipatil, nyancey, ometelka, pantinor, parichar, pbizzarr, pbraun, pcattana, pcongius, pdelbell, pjindal, psrna, ptisnovs, rcernich, rkubis, rstepani, sausingh, sfeifer, shvarugh, simaishi, smcdonal, stcannon, syedriko, tasato, teagle, tfister, thavo, ttakamiy, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
An information exposure flaw has been discovered in webpack-dev-server. When accessing third party web sites with a non-Chromium based browser, a cross origin request may be allowed. This issue can result in the source code being stolen for users that use a predictable port and a non-Chromium based browser.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2370093, 2370095, 2370097, 2370099, 2370107, 2370109, 2370111, 2370113, 2370088, 2370089, 2370091, 2370101, 2370103, 2370105, 2370115    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-03 18:01:21 UTC 
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.