PT-2018-12687 · Browserify · Browserify-Hmr

Published

2018-09-21

Updated

2020-09-01

CVE-2018-14730

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions browserify-hmr versions prior to 0.4.0

Description An issue was discovered where the origin of requests is not checked by the WebSocket server used for Hot Module Replacement (HMR), allowing attackers to steal a developer's code. The WebSocket server, accessible via a ws://127.0.0.1:3123/ connection, does not validate the origin of requests, making it possible for anyone to receive HMR messages sent by the server from any origin.

Recommendations Upgrade to version 0.4.0 or later. As a temporary workaround, consider restricting access to the WebSocket server to minimize the risk of exploitation.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2018-14730

GHSA-77Q4-M83Q-W76V

Affected Products

Browserify-Hmr

PT-2018-12687 · Browserify · Browserify-Hmr

CVE-2018-14730

Weakness Enumeration

Related Identifiers

Affected Products

References · 8