CVE-2018-14732
Origin Validation Bypass vulnerability in webpack-dev-server (npm)
What is CVE-2018-14732 About?
This Origin Validation Bypass vulnerability affects `webpack-dev-server` versions before 3.1.10, allowing remote attackers to steal developer source code. It occurs due to missing origin validation on the websocket server used for Hot Module Replacement (HMR). Exploitation is remote and requires convincing a developer to use a vulnerable version.
Affected Software
Technical Details
Versions of webpack-dev-server prior to 3.1.10 are vulnerable to an origin validation bypass. The websocket server, responsible for Hot Module Replacement (HMR) functionality, fails to properly validate the 'Origin' header of incoming websocket connection requests. This allows an attacker to craft a malicious webpage that can initiate a websocket connection to a developer's running webpack-dev-server instance, even if it's on a different domain. Since the origin is not checked, the malicious page can successfully connect to the HMR websocket and potentially read data (like source code, build artifacts, or other sensitive information exposed via HMR) or inject commands, effectively exfiltrating the developer's client-side application source code and other sensitive development assets.
What is the Impact of CVE-2018-14732?
Successful exploitation may allow attackers to steal sensitive information, including developer source code and intellectual property, potentially leading to further compromise of developer systems or applications.
What is the Exploitability of CVE-2018-14732?
Exploitation of this vulnerability is remote and of moderate complexity. An attacker would need to trick a developer running a vulnerable webpack-dev-server instance into visiting a specially crafted malicious webpage. This page would then attempt to establish a websocket connection to the webpack-dev-server. No authentication is required to exploit this, as the vulnerability lies in the lack of origin validation at the connection establishment phase. Privilege requirements are low, as it targets the server's network-facing websocket. The risk of exploitation is high, especially for developers who frequently browse the internet while running webpack-dev-server and might visit untrusted sites, enabling the malicious site to connect to their local server instance and exfiltrate data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-14732?
Available Upgrade Options
- webpack-dev-server
- <3.1.11 → Upgrade to 3.1.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2018-14732
- https://github.com/webpack/webpack-dev-server/commit/f18e5adf123221a1015be63e1ca2491ca45b8d10
- https://github.com/webpack/webpack-dev-server
- https://www.npmjs.com/advisories/725
- https://github.com/webpack/webpack-dev-server/issues/1445
- https://github.com/webpack/webpack-dev-server/issues/1620
- https://github.com/webpack/webpack-dev-server/commit/f18e5adf123221a1015be63e1ca2491ca45b8d10
- https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages
- https://github.com/webpack/webpack-dev-server/blob/master/CHANGELOG.md#3111-2018-12-21
- https://osv.dev/vulnerability/GHSA-cf66-xwfp-gvc4
What are Similar Vulnerabilities to CVE-2018-14732?
Similar Vulnerabilities: CVE-2020-27218 , CVE-2020-28189 , CVE-2023-38035 , CVE-2015-1830 , CVE-2017-1000411
