CVE-2018-14732

⚠️ high

Summary

An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.

CVSS Score

7.5

High

EPSS Score

0.2

Exploit Probability

Published Date

2018-09-21

First Seen: 2026-01-05

📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.1% of all 321,566 vulnerabilities in our database.

#99,499

Above average severity

Severity Percentile

Last Modified 2024-11-21

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE IDs (Weakness Types)

CWE-20

📦 Affected Products 1

Vendor	Product	Status	Affected Versions
webpack.js	webpack-dev-server	Affected	< 3.1.6

🔗 References 3

https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Ho...

Exploit Third Party Advisory

https://github.com/webpack/webpack-dev-server/commit...

Patch Third Party Advisory

https://github.com/webpack/webpack-dev-server/issues...

Exploit Third Party Advisory

🔗 Related CVEs 3

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-6402	🔶 medium	5.3	0.0	webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving o...	2026-05-12
CVE-2025-30359	🔶 medium	5.3	0.1	webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version ...	2025-06-03
CVE-2025-30360	🔶 medium	6.5	0.0	webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version ...	2025-06-03

These CVEs affect the same products