CVE-2025-30360: 
JavaScript vulnerability analysis and mitigation

webpack-dev-server, a development server that provides live reloading functionality for webpack, was found to contain a vulnerability (CVE-2025-30360) discovered and disclosed on June 3, 2025. The vulnerability affects versions prior to 5.2.1 and allows potential source code theft when users access malicious websites using non-Chromium based browsers (GitHub Advisory).

The vulnerability stems from webpack-dev-server's handling of Origin headers in WebSocket connections. While the server implements checks to prevent Cross-site WebSocket hijacking (previously reported in CVE-2018-14732), it always allows IP address Origin headers. This implementation flaw enables websites served on IP addresses to establish WebSocket connections, potentially leading to unauthorized source code access. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (GitHub Advisory, NVD).

The primary impact of this vulnerability is the potential theft of source code from applications using webpack-dev-server. This risk specifically affects users who utilize predictable ports and non-Chromium based browsers. The vulnerability does not affect Chrome 94+ and other Chromium-based browsers due to their non-HTTPS private access blocking feature (GitHub Advisory).

The vulnerability has been patched in webpack-dev-server version 5.2.1. Users are strongly advised to upgrade to this version or later to protect against potential source code theft. For users who cannot immediately upgrade, switching to a Chromium-based browser (version 94 or later) provides protection through the browser's built-in security features (GitHub Advisory).