{"uuid": "9d0db4ed-5e28-4f12-a31b-2043915687cb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6402", "type": "seen", "source": "https://gist.github.com/alon710/6c307c7259353f2c5a97793055cbda6e", "content": "# CVE-2026-6402: CVE-2026-6402: Cross-Origin Source Code Exposure in webpack-dev-server\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-05-18\n> **Full Report:** https://cvereports.com/reports/CVE-2026-6402\n\n## Summary\nA medium-severity vulnerability in webpack-dev-server versions up to 5.2.3 allows malicious external websites to exfiltrate an application's entire source code when the development server is accessed over plain HTTP. The vulnerability leverages cross-origin script inclusion to bypass origin restrictions.\n\n## TL;DR\nwebpack-dev-server <= 5.2.3 fails to block cross-origin script inclusions over HTTP due to missing Fetch Metadata headers, enabling attackers to steal local source code by hooking global webpack registry functions.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-749\n- **Attack Vector**: Network (Requires User Interaction)\n- **CVSS Score**: 5.3 (Medium)\n- **EPSS Score**: 0.00033\n- **Impact**: High Confidentiality Loss\n- **Exploit Status**: Proof of Concept\n- **CISA KEV**: Not Listed\n\n## Affected Systems\n\n- webpack-dev-server <= 5.2.3\n- **webpack-dev-server**: <= 5.2.3 (Fixed in: `5.2.4`)\n\n## Mitigation\n\n- Upgrade webpack-dev-server to version 5.2.4 or later\n- Run the development server over TLS (HTTPS) to enforce secure contexts\n- Restrict the allowedHosts configuration directive to specific domains\n\n**Remediation Steps:**\n1. Identify projects utilizing webpack-dev-server versions <= 5.2.3\n2. Update package.json dependencies to require webpack-dev-server ^5.2.4\n3. Run npm install or yarn install to apply the updated dependencies\n4. Review webpack configuration files to remove 'allowedHosts: all' entries\n5. Implement HTTPS for local development environments where possible\n\n## References\n\n- [NVD Entry for CVE-2026-6402](https://nvd.nist.gov/vuln/detail/CVE-2026-6402)\n- [GitHub Security Advisory GHSA-79cf-xcqc-c78w](https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78w)\n- [OpenJS Foundation Advisory](https://cna.openjsf.org/security-advisories.html)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-6402) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-18T14:40:50.000000Z"}