VulnerableCode Package Details - pkg:npm/webpack-dev-server@3.1.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-75e2-9wkm-m3e8 Aliases: CVE-2018-14732 GHSA-cf66-xwfp-gvc4	Improper Input Validation An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.	3.1.6 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.1.11 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-anh4-k59z-k7bf Aliases: CVE-2025-30360 GHSA-9jgg-88mc-972h	webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser Source code may be stolen when you access a malicious web site with non-Chromium based browser.	5.2.1 Affected by 0 other vulnerabilities.
VCID-warh-bga4-wuhs Aliases: CVE-2025-30359 GHSA-4v9v-hfq4-rm2v	webpack-dev-server users' source code may be stolen when they access a malicious web site Source code may be stolen when you access a malicious web site. Source code may be stolen when you use [`output.iife: false`](https://webpack.js.org/configuration/output/#outputiife) and access a malicious web site.	5.2.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-75e2-9wkm-m3e8
Aliases:
CVE-2018-14732
GHSA-cf66-xwfp-gvc4

Improper Input Validation An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.

3.1.6
Affected by 2 other vulnerabilities.

3.1.11
Affected by 2 other vulnerabilities.

VCID-anh4-k59z-k7bf
Aliases:
CVE-2025-30360
GHSA-9jgg-88mc-972h

webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser Source code may be stolen when you access a malicious web site with non-Chromium based browser.

5.2.1
Affected by 0 other vulnerabilities.

VCID-warh-bga4-wuhs
Aliases:
CVE-2025-30359
GHSA-4v9v-hfq4-rm2v

webpack-dev-server users' source code may be stolen when they access a malicious web site Source code may be stolen when you access a malicious web site. Source code may be stolen when you use [`output.iife: false`](https://webpack.js.org/configuration/output/#outputiife) and access a malicious web site.

5.2.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T05:51:43.395281+00:00	GitLab Importer	Affected by	VCID-anh4-k59z-k7bf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/webpack-dev-server/CVE-2025-30360.yml	38.6.0
2026-06-06T05:51:41.726627+00:00	GitLab Importer	Affected by	VCID-warh-bga4-wuhs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/webpack-dev-server/CVE-2025-30359.yml	38.6.0
2026-06-04T20:14:52.257496+00:00	GitLab Importer	Affected by	VCID-75e2-9wkm-m3e8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/webpack-dev-server/CVE-2018-14732.yml	38.6.0