Alexander Akait

**Name of the Vulnerable Software and Affected Versions** webpack-dev-server versions prior to 5.2.4 **Description** Cross-origin source code exposure occurs when serving over a non-potentially trustworthy origin, such as plain HTTP. The issue arises because the previous fix relied on `Sec-Fetch-Mode` and `Sec-Fetch-Site` request headers, which browsers omit for non-trustworthy origins. This allows a malicious site to load the bundled source as a script and read it across origins. An attacker controlling a website visited by a developer can recover the application source code if the server runs over HTTP at a guessable host and port. Chromium-based browsers from Chrome 142 onward are not affected due to local network access restrictions. **Recommendations** Upgrade to version 5.2.4 or later.