CVE-2026-6402

Name of the Vulnerable Software and Affected Versions webpack-dev-server versions prior to 5.2.4

Description Cross-origin source code exposure occurs when serving over a non-potentially trustworthy origin, such as plain HTTP. The issue arises because the previous fix relied on Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins. This allows a malicious site to load the bundled source as a script and read it across origins. An attacker controlling a website visited by a developer can recover the application source code if the server runs over HTTP at a guessable host and port. Chromium-based browsers from Chrome 142 onward are not affected due to local network access restrictions.

Recommendations Upgrade to version 5.2.4 or later.