CVE-2026-6402: Cross-Origin Source Code Exposure in webpack-dev-server
Vulnerability ID: CVE-2026-6402
CVSS Score: 5.3
Published: 2026-05-18
A medium-severity vulnerability in webpack-dev-server versions up to 5.2.3 allows malicious external websites to exfiltrate an application's entire source code when the development server is accessed over plain HTTP. The vulnerability leverages cross-origin script inclusion to bypass origin restrictions.
TL;DR
webpack-dev-server <= 5.2.3 fails to block cross-origin script inclusions over HTTP due to missing Fetch Metadata headers, enabling attackers to steal local source code by hooking global webpack registry functions.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-749
- Attack Vector: Network (Requires User Interaction)
- CVSS Score: 5.3 (Medium)
- EPSS Score: 0.00033
- Impact: High Confidentiality Loss
- Exploit Status: Proof of Concept
- CISA KEV: Not Listed
Affected Systems
- webpack-dev-server <= 5.2.3
-
webpack-dev-server: <= 5.2.3 (Fixed in:
5.2.4)
Code Analysis
Commit: df073c5
Fix commit for cross-origin source code exposure by implementing CORP header
Commit: fd40130
Release commit for version 5.2.4
Mitigation Strategies
- Upgrade webpack-dev-server to version 5.2.4 or later
- Run the development server over TLS (HTTPS) to enforce secure contexts
- Restrict the allowedHosts configuration directive to specific domains
Remediation Steps:
- Identify projects utilizing webpack-dev-server versions <= 5.2.3
- Update package.json dependencies to require webpack-dev-server ^5.2.4
- Run npm install or yarn install to apply the updated dependencies
- Review webpack configuration files to remove 'allowedHosts: all' entries
- Implement HTTPS for local development environments where possible
References
Read the full report for CVE-2026-6402 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)