SB2026070766 - Multiple vulnerabilities in webpack-dev-server



SB2026070766 - Multiple vulnerabilities in webpack-dev-server

Published: July 7, 2026

Security Bulletin ID SB2026070766
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Partial DoS

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Input validation error (CVE-ID: CVE-2026-14631)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the host-validation path when handling HTTP requests or WebSocket upgrade requests with malformed Host or Origin headers. A remote attacker can send a specially crafted request to cause a denial of service.

The issue can be triggered through a normal HTTP request or through a WebSocket upgrade to the default /ws endpoint.


2) Cross-site request forgery (CVE-ID: CVE-2026-14620)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to cross-site request forgery in the /webpack-dev-server/open-editor and /webpack-dev-server/invalidate endpoints when handling cross-origin GET requests from a website visited by a developer while the dev server is running. A remote attacker can cause the victim's browser to send specially crafted requests to trigger editor launches and recompilations to cause a denial of service.

User interaction is required because the developer must visit a malicious website while the dev server is running. The issue can also cause an arbitrary existing local file to be opened in the developer's editor, including files outside the project root, but the file contents are not exposed to the attacker.


Remediation

Install update from vendor's website.