Platform
nodejs
Component
webpack-dev-server
Fixed in
5.2.2
5.2.1
CVE-2025-30360 describes a WebSocket hijacking vulnerability within webpack-dev-server. This flaw allows malicious websites, particularly those served over IP addresses, to establish WebSocket connections, potentially leading to code sniffing. The vulnerability affects versions prior to 5.2.1, and a fix has been released.
An attacker can exploit this vulnerability by crafting a malicious website that leverages the flawed Origin header validation in webpack-dev-server. When a user visits this website with a non-Chromium browser, the attacker can potentially hijack WebSocket connections and intercept sensitive data transmitted over those connections. This could include source code, API keys, or other confidential information. The attack resembles the methodology described in CVE-2018-14732, but specifically targets webpack-dev-server's IP address origin handling. The blast radius extends to any application utilizing webpack-dev-server in a development or testing environment where the server is accessible from external networks.
This vulnerability was publicly disclosed on 2025-06-04. There is currently no indication of active exploitation campaigns targeting this specific CVE. Public proof-of-concept code is available, increasing the likelihood of exploitation attempts. The vulnerability is not currently listed on CISA KEV.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to webpack-dev-server version 5.2.1 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy server to filter incoming requests and block those with IP addresses in the Origin header. Alternatively, configure webpack-dev-server to strictly enforce allowed origins, preventing connections from unauthorized domains. Regularly review and update webpack-dev-server configurations to ensure adherence to security best practices.
Update webpack-dev-server to version 5.2.1 or higher. This corrects the Cross-site WebSocket hijacking vulnerability. Run `npm install webpack-dev-server@latest` or `yarn add webpack-dev-server@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30360 is a medium-severity vulnerability in webpack-dev-server allowing attackers to potentially sniff codes via WebSocket hijacking due to improper Origin header validation.
You are affected if you are using webpack-dev-server versions prior to 5.2.1 and are potentially exposed to external networks.
Upgrade to webpack-dev-server version 5.2.1 or later. Alternatively, implement WAF rules to filter IP-based Origins.
There is currently no indication of active exploitation campaigns, but public proof-of-concept code exists.
Refer to the webpack GitHub repository for updates and advisories: https://github.com/webpack/webpack-dev-server
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.