CVE-2026-6402
Received Received - Intake
Cross-Origin Source Code Exposure in webpack-dev-server

Publication date: 2026-05-12

Last updated on: 2026-05-18

Assigner: openjs

Description
webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins, allowing a malicious site to load the bundled source as a script and read it across origins. Impact: an attacker controlling a website visited by a developer running webpack-dev-server can recover the application source code when the dev server runs over HTTP at a guessable host and port. Chromium based browsers from Chrome 142 onward are not affected due to local network access restrictions. Upgrade to webpack-dev-server 5.2.4 or later, which sets Cross-Origin-Resource-Policy: same-origin on responses.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-18
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-6402
EUVD
EUVD-2026-29404
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
webpack.js webpack-dev-server to 5.2.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when running on non-HTTPS (non-potentially trustworthy) origins such as plain HTTP.

The vulnerability arises because the previous fix relied on Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit on non-trustworthy origins. This omission allows a malicious website to load the JavaScript bundles from the dev server via script tags and read the source code across origins.

An attacker controlling a website visited by a developer running webpack-dev-server over HTTP at a guessable host and port can recover the application source code.

Chromium-based browsers from Chrome 142 onward are not affected due to local network access restrictions.

The issue was fixed in webpack-dev-server version 5.2.4 by adding the Cross-Origin-Resource-Policy: same-origin header on responses.

Impact Analysis

This vulnerability can allow an attacker to steal your application's source code if you are running webpack-dev-server over HTTP on a guessable host and port.

If an attacker controls a website that you visit while running the vulnerable dev server, they can load and read your bundled source code across origins.

This exposure could lead to intellectual property theft, easier discovery of security flaws in your code, and potentially facilitate further attacks.

However, users of Chromium-based browsers version 142 and later are protected due to local network access restrictions.

Detection Guidance

This vulnerability can be detected by checking if your webpack-dev-server is running a version up to and including 5.2.3 and serving content over plain HTTP (non-HTTPS). You should verify whether the Cross-Origin-Resource-Policy header is set to same-origin in the HTTP responses from the dev server.

To detect this on your system or network, you can use commands to inspect the HTTP headers and the version of webpack-dev-server running.

  • Check the webpack-dev-server version: run `npm list webpack-dev-server` or check your package.json dependencies.
  • Use curl or similar tools to inspect HTTP response headers for the Cross-Origin-Resource-Policy header, for example: `curl -I http://localhost:port` and look for `Cross-Origin-Resource-Policy: same-origin`.
  • If the server is running on HTTP and the header is missing or not set to same-origin, the server is vulnerable.
Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade webpack-dev-server to version 5.2.4 or later, which includes a fix by setting the Cross-Origin-Resource-Policy header to same-origin.

Alternatively, you can run the webpack-dev-server with HTTPS enabled instead of plain HTTP, which prevents the vulnerability by ensuring a potentially trustworthy origin.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6402. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart