webpack-dev-server Cross-Origin Source Code Exposure Vulnerability

A vulnerability in webpack-dev-server in versions through 5.2.3 allows for cross-origin exposure of source code when served over non-HTTPS origins, such as plain HTTP. The issue arises because the server's JavaScript bundles can be loaded by malicious websites as scripts, bypassing previous security measures that relied on request headers not sent by browsers for untrusted origins. This vulnerability enables an attacker to intercept and exfiltrate application source code from developers using the dev server over HTTP on a guessable host and port. However, this issue does not affect Chromium-based browsers from Chrome 142 onward due to local network access restrictions.

Impact

Exploitation of this vulnerability allows for cross-origin source code exposure, where an attacker can recover the application source code from a developer's webpack-dev-server running over HTTP.

Remediation

Users can upgrade to webpack-dev-server version 5.2.4 or later, which addresses the vulnerability by setting the Cross-Origin-Resource-Policy header to same-origin on responses. Alternatively, the dev server can be run with HTTPS enabled.