webpack-dev-server Cross-Site WebSocket Hijacking Vulnerability Allowing Source Code Theft

A vulnerability in webpack-dev-server prior to version 5.2.1 allows for source code theft when users access a malicious website using a non-Chromium-based browser. The issue arises because the server improperly handles the 'Origin' header, which is meant to prevent Cross-site WebSocket hijacking. While this header is typically checked, webpack-dev-server allows IP address 'Origin' headers to bypass this protection. As a result, websites served from IP addresses can establish WebSocket connections that exploit this vulnerability, similar to the method used in CVE-2018-14732.

Impact

Exploitation of this vulnerability allows for source code theft from the user's development environment.

Reproduction

To reproduce this vulnerability, first download and extract the provided reproduction.zip file. After extracting, navigate to the directory and run 'npm install' to install the necessary dependencies. Then, execute 'npx webpack-dev-server' to start the development server. Once the server is running, open a non-Chromium browser and access 'http://{ipaddress}/?target=http://localhost:8080&file=main'. This will initiate a WebSocket connection to the development server. After the connection is established, edit the 'src/index.js' file in the extracted directory. The content of the edited file will appear in the browser, demonstrating that the source code has been accessed through the WebSocket connection.

Remediation

Users can upgrade to webpack-dev-server version 5.2.1 or later to address this vulnerability.