CVE-2025-30360 – Webpack-dev-server versions before 5.2.1 have a... (How to Fix)

📋 TL;DR

Webpack-dev-server versions before 5.2.1 have a Cross-Site WebSocket Hijacking vulnerability that allows malicious websites to steal source code from development servers. The vulnerability occurs because the server improperly validates Origin headers, allowing connections from IP addresses. This affects developers using webpack-dev-server with non-Chromium browsers.

💻 Affected Systems

Products:

webpack-dev-server

Versions: All versions before 5.2.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects non-Chromium browsers (Firefox, Safari, etc.). Development servers accessible via IP addresses are vulnerable.

📦 What is this software?

Webpack Dev Server by Webpack.js

View all CVEs affecting Webpack Dev Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal proprietary source code, intellectual property, and sensitive development artifacts from exposed development servers.

🟠

Likely Case

Source code leakage from development environments, potentially exposing API keys, credentials, and business logic.

🟢

If Mitigated

Limited impact if development servers are isolated from production networks and external access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Similar exploitation method to CVE-2018-14732. Attack requires user to visit malicious website while development server is running.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.1

Vendor Advisory: https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h

Restart Required: Yes

Instructions:

1. Update webpack-dev-server to version 5.2.1 or later using npm: npm update webpack-dev-server@^5.2.1
2. Restart the development server
3. Verify the fix by checking the version

🔧 Temporary Workarounds

Use Chromium-based browsers

all

Switch to Chrome, Edge, or other Chromium-based browsers during development

Restrict development server access

all

Configure webpack-dev-server to only accept connections from localhost

webpack-dev-server --host localhost

🧯 If You Can't Patch

Isolate development servers from production networks
Use VPN or network segmentation to restrict access to development environments

🔍 How to Verify

Check if Vulnerable:

Check webpack-dev-server version: npm list webpack-dev-server

Check Version:

npm list webpack-dev-server

Verify Fix Applied:

Confirm version is 5.2.1 or higher: npm list webpack-dev-server | grep webpack-dev-server

📡 Detection & Monitoring

Log Indicators:

WebSocket connection attempts from external IP addresses
Unusual Origin headers in WebSocket requests

Network Indicators:

WebSocket traffic to development server ports (typically 8080, 3000, 9000) from external sources

SIEM Query:

source_port IN (8080, 3000, 9000) AND protocol="websocket" AND dest_ip IN (development_server_ips)

📊 Metadata

CVE ID: CVE-2025-30360

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-346

EPSS Score: 0.03% exploit probability (9.1th percentile)

Published: June 3, 2025

Last Updated: November 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30360, you might also want to check these: