PT-2026-55576 · Npm · Webpack-Dev-Server

Bjohansebas

+2

·

Published

2026-07-03

·

Updated

2026-07-03

·

CVE-2026-14631

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions webpack-dev-server versions prior to 5.2.6
Description An unauthenticated peer can cause the Node.js process to terminate, resulting in a denial of service. This occurs when the server receives a normal HTTP request with a malformed Host header or a WebSocket upgrade request to the /ws endpoint with a malformed Origin header. The malformed values trigger an uncaught exception in the host-validation path, crashing the development server. The impact is limited to the availability of the server, with no risk of code execution or data disclosure.
Recommendations Upgrade to webpack-dev-server version 5.2.6. Keep the development server bound to localhost and avoid exposing it to untrusted networks.

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-14631

Affected Products

Webpack-Dev-Server