PT-2026-55575 · Npm · Webpack-Dev-Server
Bjohansebas
+2
·
Published
2026-07-03
·
Updated
2026-07-03
·
CVE-2026-14620
CVSS v3.1
4.7
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
webpack-dev-server versions prior to 5.2.6
Description
Internal developer endpoints '/webpack-dev-server/open-editor' and '/webpack-dev-server/invalidate' perform state-changing actions on GET requests without verifying the request origin. This allows any website visited by a developer to trigger these endpoints cross-origin. An attacker can open arbitrary local files in the developer's editor, including those outside the project root. Additionally, repeated requests can spawn multiple editor processes and force recompilations, leading to system performance degradation.
Recommendations
Upgrade to webpack-dev-server 5.2.6.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Webpack-Dev-Server