CVE-2026-6402
Cross-Origin Source Code Exposure in webpack-dev-server
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webpack | webpack-dev-server | to 5.2.3 (inc) |
| webpack | webpack-dev-server | From 5.2.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-749 | The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when running on non-HTTPS (non-potentially trustworthy) origins such as plain HTTP.
The vulnerability arises because the previous fix relied on Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit on non-trustworthy origins. This omission allows a malicious website to load the JavaScript bundles from the dev server via script tags and read the source code across origins.
An attacker controlling a website visited by a developer running webpack-dev-server over HTTP at a guessable host and port can recover the application source code.
Chromium-based browsers from Chrome 142 onward are not affected due to local network access restrictions.
The issue was fixed in webpack-dev-server version 5.2.4 by adding the Cross-Origin-Resource-Policy: same-origin header on responses.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to steal your application's source code if you are running webpack-dev-server over HTTP on a guessable host and port.
If an attacker controls a website that you visit while running the vulnerable dev server, they can load and read your bundled source code across origins.
This exposure could lead to intellectual property theft, easier discovery of security flaws in your code, and potentially facilitate further attacks.
However, users of Chromium-based browsers version 142 and later are protected due to local network access restrictions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your webpack-dev-server is running a version up to and including 5.2.3 and serving content over plain HTTP (non-HTTPS). You should verify whether the Cross-Origin-Resource-Policy header is set to same-origin in the HTTP responses from the dev server.
To detect this on your system or network, you can use commands to inspect the HTTP headers and the version of webpack-dev-server running.
- Check the webpack-dev-server version: run `npm list webpack-dev-server` or check your package.json dependencies.
- Use curl or similar tools to inspect HTTP response headers for the Cross-Origin-Resource-Policy header, for example: `curl -I http://localhost:port` and look for `Cross-Origin-Resource-Policy: same-origin`.
- If the server is running on HTTP and the header is missing or not set to same-origin, the server is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should upgrade webpack-dev-server to version 5.2.4 or later, which includes a fix by setting the Cross-Origin-Resource-Policy header to same-origin.
Alternatively, you can run the webpack-dev-server with HTTPS enabled instead of plain HTTP, which prevents the vulnerability by ensuring a potentially trustworthy origin.