CVE-2018-14730

Name of the Vulnerable Software and Affected Versions browserify-hmr versions prior to 0.4.0

Description An issue was discovered where the origin of requests is not checked by the WebSocket server used for Hot Module Replacement (HMR), allowing attackers to steal a developer's code. The WebSocket server, accessible via a ws://127.0.0.1:3123/ connection, does not validate the origin of requests, making it possible for anyone to receive HMR messages sent by the server from any origin.

Recommendations Upgrade to version 0.4.0 or later. As a temporary workaround, consider restricting access to the WebSocket server to minimize the risk of exploitation.