{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-6402","assignerOrgId":"ce714d77-add3-4f53-aff5-83d477b104bb","state":"PUBLISHED","assignerShortName":"openjs","dateReserved":"2026-04-15T20:35:29.271Z","datePublished":"2026-05-12T07:45:21.253Z","dateUpdated":"2026-05-12T13:00:06.847Z"},"containers":{"cna":{"providerMetadata":{"orgId":"ce714d77-add3-4f53-aff5-83d477b104bb","shortName":"openjs","dateUpdated":"2026-05-12T07:45:21.253Z"},"descriptions":[{"lang":"en","value":"webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins, allowing a malicious site to load the bundled source as a script and read it across origins. Impact: an attacker controlling a website visited by a developer running webpack-dev-server can recover the application source code when the dev server runs over HTTP at a guessable host and port. Chromium based browsers from Chrome 142 onward are not affected due to local network access restrictions. Upgrade to webpack-dev-server 5.2.4 or later, which sets Cross-Origin-Resource-Policy: same-origin on responses.","supportingMedia":[{"type":"text/html","base64":false,"value":"webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins, allowing a malicious site to load the bundled source as a script and read it across origins. Impact: an attacker controlling a website visited by a developer running webpack-dev-server can recover the application source code when the dev server runs over HTTP at a guessable host and port. Chromium based browsers from Chrome 142 onward are not affected due to local network access restrictions. Upgrade to webpack-dev-server 5.2.4 or later, which sets Cross-Origin-Resource-Policy: same-origin on responses."}]}],"affected":[{"vendor":"webpack-dev-server","product":"webpack-dev-server","defaultStatus":"unaffected","versions":[{"versionType":"semver","status":"affected","version":"0","lessThan":"5.2.4"},{"versionType":"semver","status":"unaffected","version":"5.2.4"}],"packageURL":"pkg:npm/webpack-dev-server"}],"references":[{"url":"https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78w"},{"url":"https://cna.openjsf.org/security-advisories.html"}],"credits":[{"lang":"en","type":"reporter","value":"sapphi-red"},{"lang":"en","type":"remediation developer","value":"Ulises Gascón"},{"lang":"en","type":"remediation developer","value":"Sebastian Beltran"},{"lang":"en","type":"remediation reviewer","value":"Alexander Akait"}],"title":"webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins","metrics":[{"format":"CVSS","cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM"},"scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-749","lang":"en","description":"CWE-749: Exposed Dangerous Method or Function","type":"CWE"}]}],"x_generator":{"engine":"cve-kit 1.0.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-12T12:57:17.986993Z","id":"CVE-2026-6402","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-12T13:00:06.847Z"}}]}}