Advisories for Npm/Webpack-Dev-Server package

When webpack-dev-server is running on a non-HTTPS origin (the default), cross-origin requests from malicious websites can load the dev server's JavaScript bundles via <script> tags. The fix introduced in v5.2.1 (CVE-2025-30359) relied on Sec-Fetch-Mode and Sec-Fetch-Site request headers to block these requests, but browsers only send these headers for potentially trustworthy origins. Over plain HTTP, the headers are absent and the check is bypassed. An attacker who knows the dev …

Source code may be stolen when you access a malicious web site with non-Chromium based browser.

Source code may be stolen when you access a malicious web site. Source code may be stolen when you use output.iife: false and access a malicious web site.

An issue was discovered in lib/Server.js in webpack-dev-server. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://:/ connection from any origin.