Description
webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins, allowing a malicious site to load the bundled source as a script and read it across origins. Impact: an attacker controlling a website visited by a developer running webpack-dev-server can recover the application source code when the dev server runs over HTTP at a guessable host and port. Chromium based browsers from Chrome 142 onward are not affected due to local network access restrictions. Upgrade to webpack-dev-server 5.2.4 or later, which sets Cross-Origin-Resource-Policy: same-origin on responses.
Published: 2026-05-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

webpack-dev-server versions up to and including 5.2.3 can serve bundled application source code to a malicious origin when the server runs over plain HTTP. The vulnerability stems from the absence of strict cross-origin controls when the Sec-Fetch-Mode and Sec-Fetch-Site headers are omitted for non-trustworthy origins. An attacker who controls a webpage that developers visit while running the dev server can trigger a script request and read the source code, thereby obtaining full application code leaked from the development environment.

Affected Systems

The affected product is webpack-dev-server, specifically versions 5.2.3 and earlier. The advisory recommends upgrading to 5.2.4 or later, which includes the cross-origin resource policy headers to mitigate the exposure.

Risk and Exploitability

The CVSS score of 5.3 indicates that the vulnerability has a moderate severity. The EPSS score is reported as less than 1% and it is not listed in KEV, suggesting that widespread exploitation has not yet been observed. The likely attack path requires the developer to be actively running the dev server over HTTP on a predictable host and port, and the attacker to serve a malicious webpage that the developer visits. The absence of the expected request headers removes the necessary origin check, allowing the attacker to read the bundled source. Chromium browsers from version 142 forward mitigate this issue by restricting local network access, reducing the exploitation window for those environments.

Generated by OpenCVE AI on May 13, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade webpack-dev-server to version 5.2.4 or later to have Cross-Origin-Resource-Policy set to same-origin on responses.
  • Ensure the dev server is served over HTTPS or limited to a non-public, trusted origin to reduce the chance of accidental exposure.
  • Restrict access to the development environment by configuring a reverse proxy or firewall rule that blocks external traffic to the dev server’s host and port.

Generated by OpenCVE AI on May 13, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins, allowing a malicious site to load the bundled source as a script and read it across origins. Impact: an attacker controlling a website visited by a developer running webpack-dev-server can recover the application source code when the dev server runs over HTTP at a guessable host and port. Chromium based browsers from Chrome 142 onward are not affected due to local network access restrictions. Upgrade to webpack-dev-server 5.2.4 or later, which sets Cross-Origin-Resource-Policy: same-origin on responses.
Title webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
Weaknesses CWE-749
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-05-12T13:00:06.847Z

Reserved: 2026-04-15T20:35:29.271Z

Link: CVE-2026-6402

cve-icon Vulnrichment

Updated: 2026-05-12T12:58:56.596Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T09:16:55.640

Modified: 2026-05-12T15:08:22.857

Link: CVE-2026-6402

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-12T07:45:21Z

Links: CVE-2026-6402 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T02:30:16Z

Weaknesses