Skip to content

chore(deps): update dependency webpack-dev-server to v5.2.5 [security]#348

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-webpack-dev-server-vulnerability
Open

chore(deps): update dependency webpack-dev-server to v5.2.5 [security]#348
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-webpack-dev-server-vulnerability

Conversation

@renovate

@renovate renovate Bot commented May 20, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
webpack-dev-server 5.2.25.2.5 age confidence

webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins

CVE-2026-6402 / GHSA-79cf-xcqc-c78w

More information

Details

Impact

When webpack-dev-server is running on a non-HTTPS origin (the default), cross-origin requests from malicious websites can load the dev server's JavaScript bundles via <script> tags. The fix introduced in v5.2.1 (CVE-2025-30359) relied on Sec-Fetch-Mode and Sec-Fetch-Site request headers to block these requests, but browsers only send these headers for potentially trustworthy origins. Over plain HTTP, the headers are absent and the check is bypassed.

An attacker who knows the dev server's host, port, and output path can exfiltrate all module source code by intercepting the webpack runtime's module registration.

This does not affect Chrome 142+ (and other Chromium-based browsers) due to local network access restrictions.

Patches

Patched in webpack-dev-server >= 5.2.4 by setting Cross-Origin-Resource-Policy: same-origin on responses.

Workarounds

Run the dev server with HTTPS enabled (--https or server.type: 'https' in config).

Resources

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

CVE-2026-9595 / GHSA-mx8g-39q3-5c79

More information

Details

Impact

When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).

Patches

Fixed in webpack-dev-server 5.2.5.

Workarounds

Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

webpack/webpack-dev-server (webpack-dev-server)

v5.2.5

Compare Source

Patch Changes
  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #​5680)

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

5.2.4 (2026-05-11)
Bug Fixes
  • set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP
5.2.3 (2026-01-12)
Bug Fixes
  • add cause for errorObject (#​5518) (37b033d)
  • compatibility with event target and universal target and lazy compilation (574026c)
  • overlay: add ESC key to dismiss overlay (#​5598) (f91baa8)
  • progress indicator styles (#​5557) (41a53a1)
  • upgrade selfsigned to v5
5.2.2 (2025-06-03)
Bug Fixes

v5.2.4

Compare Source

v5.2.3

Compare Source


Configuration

📅 Schedule: (in timezone America/Los_Angeles)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch 2 times, most recently from 5989e65 to 1a7a73a Compare June 1, 2026 22:43
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from 1a7a73a to 153800f Compare June 11, 2026 15:03
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from 153800f to 11c543f Compare June 30, 2026 19:49
@renovate renovate Bot changed the title chore(deps): update dependency webpack-dev-server to v5.2.4 [security] chore(deps): update dependency webpack-dev-server to v5.2.5 [security] Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants