Bug 2370070 (CVE-2025-30360) - CVE-2025-30360 webpack-dev-server: webpack-dev-server information exposure
Summary: CVE-2025-30360 webpack-dev-server: webpack-dev-server information exposure
Keywords:
Status: NEW
Alias: CVE-2025-30360
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2370088 2370089 2370091 2370093 2370095 2370097 2370099 2370103 2370105 2370107 2370109 2370111 2370113 2370101 2370115
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-03 18:01 UTC by OSIDB Bzimport
Modified: 2025-06-03 21:32 UTC (History)
94 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-06-03 18:01:21 UTC 
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.
Note You need to log in before you can comment on or make changes to this bug.