webpack-dev-server Same-Origin Policy Vulnerability Leading to Source Code Theft

A vulnerability in webpack-dev-server prior to version 5.2.1 allows for source code theft when users visit a malicious website. The issue arises because requests for scripts are not restricted by the same-origin policy. An attacker can inject a script into their site that, if executed, could access the victim's webpack runtime variables. By exploiting prototype pollution, the injected script could retrieve the source code from the webpack modules. This vulnerability affects webpack-dev-server versions through 5.2.0.

Impact

Exploitation of this vulnerability allows for unauthorized access to the user's source code.

Reproduction

To reproduce this vulnerability, first download and extract the provided reproduction.zip file. After extracting, navigate to the extracted folder and run 'npm install' to install the necessary dependencies. Then, execute 'npx webpack-dev-server' to start the development server. Once the server is running, open the injected URL in a web browser. The injected script will execute, and the stolen source code will be displayed in the document and the devtools console.

Remediation

Users can upgrade to webpack-dev-server version 5.2.1 or later to address this vulnerability.