Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

A vulnerability found in webpack-dev-server #1445

Closed
chromium1337 opened this issue Jul 24, 2018 · 9 comments
Closed

A vulnerability found in webpack-dev-server #1445

chromium1337 opened this issue Jul 24, 2018 · 9 comments
Labels
priority: 1 (critical) scope: ws(s) severity: 1 (security) type: bug
Milestone
3.1.11

Comments

@chromium1337
Copy link

Hi, I found a vulnerability in webpack-dev-server, how do I report it to you?
@alexander-akait
Copy link
Member

@chromium1337 It is problem in dependencies or in webpack-dev-server code?

@chromium1337
Copy link
Author

@evilebottnawi It's in webpack-dev-server code, not dependencies.

@alexander-akait
Copy link
Member

@chromium1337 please send details to sheo13666q @ gmail . com

@yagoestevez
Copy link

Hi,
Not sure if it's the same vulnerability. I was just warn by NPM about these vulnerabilities which webpack-dev-server depends on:
vulnerabilities

@michael-ciniawsky michael-ciniawsky added this to the 3.1.6 milestone Aug 23, 2018
@rschultheis
Copy link

👋 Hi I am looking at this issue as it seems to relate to these security advisories:

As far as I can tell, the fix commit has not made it to master nor been released? Both the NPM Advisory and CVE report a fix version of 3.1.6, but nothing in 3.1.6 release looks like the fix for this? The bugfix/origin-header branch needs a PR and to get merged and deployed.

Am I mistaken or has the fix for this not really been deployed?

This package is widely used so I am looking at this from the perspective of making sure the public data sources are correct.

CC fix commit author @sokra

@alexander-akait
Copy link
Member

this package should be used only for development purpose, so it is not very high priority

@rschultheis rschultheis mentioned this issue Dec 21, 2018
Closed
@alexander-akait
Copy link
Member

Done in webpack-dev-server@3.1.11

jdleesmiller added a commit to jdleesmiller/twenty48 that referenced this issue Jan 5, 2019
@jdleesmiller
Upgrade to webpack 4
3e52e53 
For webpack/webpack-dev-server#1445
jaywcjlove added a commit to kktjs/ssr that referenced this issue Jan 5, 2019
@jaywcjlove
Update dependencies webpack-dev-server@3.1.11
4ebbb71 
webpack/webpack-dev-server#1445
@xhocquet
Copy link

@evilebottnawi Could you please advise the state of this vulnerability in webpack-dev-server 2.11.3? Is this vulnerability present, and if so is there a possibility of adding this patch as a security update?

@kfern
Copy link

kfern commented Jan 26, 2019

In webpack-dev-server 2.11.3, npm audit found 1 high severity vulnerability.
+1 @xhocquet . We need a 2.x security update patch.

@kfern kfern mentioned this issue Jan 26, 2019
Closed
alexdean added a commit to alexdean/focus_group that referenced this issue Jul 2, 2019
@alexdean
update webpack-dev-server to address CVE-2018-14732
f0ab4b7 
  * https://cve.circl.lu/cve/CVE-2018-14732
  * webpack/webpack-dev-server#1445
@debricked debricked bot mentioned this issue Jul 9, 2021
Open
@Svetlana-github Svetlana-github mentioned this issue May 16, 2022
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
priority: 1 (critical) scope: ws(s) severity: 1 (security) type: bug
Projects
None yet
Milestone
3.1.11
Development

No branches or pull requests
7 participants
@rschultheis @kfern @alexander-akait @michael-ciniawsky @xhocquet @chromium1337 @yagoestevez