CVEFinder.io

CVE-2026-6402

๐Ÿ”ถ medium
๐Ÿ” Scan for this CVE
Summary

webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins, allowing a malicious site to load the bundled source as a script and read it across origins. Impact: an attacker controlling a website visited by a developer running webpack-dev-server can

Description

webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins, allowing a malicious site to load the bundled source as a script and read it across origins. Impact: an attacker controlling a website visited by a developer running webpack-dev-server can recover the application source code when the dev server runs over HTTP at a guessable host and port. Chromium based browsers from Chrome 142 onward are not affected due to local network access restrictions. Upgrade to webpack-dev-server 5.2.4 or later, which sets Cross-Origin-Resource-Policy: same-origin on responses.

CVSS Score
5.3
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-12
First Seen: 2026-05-19
๐Ÿ“Š Relative Risk Intelligence

This CVE is Lower Risk - more severe than 19.8% of all 321,566 vulnerabilities in our database.

#257,788
Below average severity
Severity Percentile
๐ŸŽฏ CISA SSVC Assessment Updated: May 12, 2026
๐Ÿ” Exploitation Status
None
No known exploits
โš™๏ธ Automatable
NO
Requires human interaction
๐Ÿ’ฅ Technical Impact
Partial
Limited system impact
๐Ÿ† Discovered By
sapphi-red (reporter) Ulises Gascรณn (remediation developer) Sebastian Beltran (remediation developer) Alexander Akait (remediation reviewer)
SSVC data provided by CISA
Last Modified 2026-05-18
Source NVD ๐Ÿ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE IDs (Weakness Types)
CWE-749

๐Ÿ“ฆ Affected Products 1

Vendor Product Status Affected Versions
webpack.js webpack-dev-server Affected
< 5.2.4

๐Ÿ”— References 2

https://cna.openjsf.org/security-advisories.html
Vendor Advisory
https://github.com/webpack/webpack-dev-server/securi...
Mitigation Vendor Advisory

๐Ÿ”— Related CVEs 3

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-30359 ๐Ÿ”ถ medium 5.3 0.1 webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version ... 2025-06-03
CVE-2025-30360 ๐Ÿ”ถ medium 6.5 0.0 webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version ... 2025-06-03
CVE-2018-14732 โš ๏ธ high 7.5 0.2 An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's cod... 2018-09-21
These CVEs affect the same products