webpack-dev-server icon indicating copy to clipboard operation
webpack-dev-server copied to clipboard
verified publisher icon webpack

Backport security fix from v5.2.1 to version-4 (non-Chromium browser dev-server vulnerability)

Open Wajih-Ul-Hasan opened this issue 5 months ago • 5 comments

Summary

Backported the security patch from v5.2.1 to the version-4 branch to prevent dev client injection into unauthorized or potentially malicious browsers via the /webpack-dev-server route.

What This Fixes

  • Prevents exposure of dev asset listings and client scripts to untrusted sources
  • Implements a header-based access control mechanism instead of relying on insecure User-Agent detection

Context

Relevant to: https://github.com/webpack/webpack-dev-server/issues/5313
Inspired by: https://github.com/webpack/webpack-dev-server/pull/5315 (official v5.2.1 patch)

Since [email protected] depends on [email protected], and upgrading to v5 is not always viable for projects in production, this patch brings essential security hardening to the v4 codebase.

Implementation Details

  • Introduced isTrustedClient() helper to verify presence of webpack-dev-server-client header
  • /webpack-dev-server route now denies access (403) if the required header is missing
  • Patch mirrors the core logic used in v5.2.1, but adapted to v4’s Express-based routing
  • Clean, isolated backport to avoid impact on unrelated parts of the server

Thanks for considering this backport 🙏 Happy to adjust based on any review feedback.

Wajih-Ul-Hasan avatar Jul 11 '25 13:07 Wajih-Ul-Hasan

CLA Signed

The committers listed above are authorized under a signed CLA.

  • :white_check_mark: login: Wajih-Ul-Hasan / name: Wajih-Ul-Hasan (c0c647f77de0957edd5bf85b5d5d27613a9c62f9, 0a08b4b16b465506620f090a3b9ce75000c28c41)

linux-foundation-easycla[bot] avatar Jul 11 '25 13:07 linux-foundation-easycla[bot]

Hi @alexander-akait — tagging you as discussed in Issue #5313. This PR backports the dev-server security fix for non-Chromium browsers to the version-4 branch. Let me know if any changes are needed.

Wajih-Ul-Hasan avatar Jul 11 '25 13:07 Wajih-Ul-Hasan

Sorry, it is not a good fix, we can't apply security fix using userAgentHeader, it is unsafe and insecurity, we need to backport header logic

alexander-akait avatar Jul 11 '25 13:07 alexander-akait

@alexander-akait If you have any better logic in your mind ,kindly share it with me. I will implement it.

Wajih-Ul-Hasan avatar Jul 11 '25 13:07 Wajih-Ul-Hasan

There is a start of work - https://github.com/webpack/webpack-dev-server/pull/5514, just need to backport this logic from v5 to v4

alexander-akait avatar Jul 11 '25 14:07 alexander-akait