EIQ-2019-0004

ID	EIQ-2019-0004
CVE	CVE-2018-14732
Description	No origin validation in webpack-dev-server
Date	30 Jan 2019
Severity	3 - HIGH
CVSSv3 score	7.5
Status	2.3.4
Assessment	webpack-dev-server versions 3.1.10 and earlier fail to correctly check the origin of the requests sent to the WebSocket server component. This makes it possible for a remote attacker to send a Hot Module Replacement (HMR) message to a targeted system. In this way, the the attacker can obtain access to sensitive information on the targeted system.
Mitigation	Update to webpack-dev-server 3.1.11 or later. Restrict network access to block untrusted sources.
Affected versions	2.3.0 to 2.3.3 included.
Notes	For more information, see: npm advisory A vulnerability found in webpack-dev-server check origin header for websocket connection Sniffing Codes in Hot Module Reloading Messages

In release notes 2.3.3

In release notes 2.3.4