Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A vulnerability found in webpack-dev-server #1445

Closed
chromium1337 opened this issue Jul 24, 2018 · 9 comments
Closed

A vulnerability found in webpack-dev-server #1445

chromium1337 opened this issue Jul 24, 2018 · 9 comments
Labels
priority: 1 (critical) scope: ws(s) severity: 1 (security) type: bug
Milestone
3.1.11

Comments

@chromium1337
Copy link

Hi, I found a vulnerability in webpack-dev-server, how do I report it to you?
@alexander-akait
Copy link
Member

@chromium1337 It is problem in dependencies or in webpack-dev-server code?

@chromium1337
Copy link
Author

@evilebottnawi It's in webpack-dev-server code, not dependencies.

@alexander-akait
Copy link
Member

@chromium1337 please send details to sheo13666q @ gmail . com

@yagoestevez
Copy link

Hi,
Not sure if it's the same vulnerability. I was just warn by NPM about these vulnerabilities which webpack-dev-server depends on:
vulnerabilities

@michael-ciniawsky michael-ciniawsky added this to the 3.1.6 milestone Aug 23, 2018
@rschultheis
Copy link

👋 Hi I am looking at this issue as it seems to relate to these security advisories:

As far as I can tell, the fix commit has not made it to master nor been released? Both the NPM Advisory and CVE report a fix version of 3.1.6, but nothing in 3.1.6 release looks like the fix for this? The bugfix/origin-header branch needs a PR and to get merged and deployed.

Am I mistaken or has the fix for this not really been deployed?

This package is widely used so I am looking at this from the perspective of making sure the public data sources are correct.

CC fix commit author @sokra

@alexander-akait
Copy link
Member

this package should be used only for development purpose, so it is not very high priority

@rschultheis rschultheis mentioned this issue Dec 21, 2018
Closed
@alexander-akait
Copy link
Member

Done in webpack-dev-server@3.1.11

jdleesmiller added a commit to jdleesmiller/twenty48 that referenced this issue Jan 5, 2019
@jdleesmiller
Upgrade to webpack 4
3e52e53 
For webpack/webpack-dev-server#1445
jaywcjlove added a commit to kktjs/ssr that referenced this issue Jan 5, 2019
@jaywcjlove
Update dependencies webpack-dev-server@3.1.11
4ebbb71 
webpack/webpack-dev-server#1445
@xhocquet
Copy link

@evilebottnawi Could you please advise the state of this vulnerability in webpack-dev-server 2.11.3? Is this vulnerability present, and if so is there a possibility of adding this patch as a security update?

@kfern
Copy link

kfern commented Jan 26, 2019

In webpack-dev-server 2.11.3, npm audit found 1 high severity vulnerability.
+1 @xhocquet . We need a 2.x security update patch.

@kfern kfern mentioned this issue Jan 26, 2019
Closed
alexdean added a commit to alexdean/focus_group that referenced this issue Jul 2, 2019
@alexdean
update webpack-dev-server to address CVE-2018-14732
f0ab4b7 
  * https://cve.circl.lu/cve/CVE-2018-14732
  * webpack/webpack-dev-server#1445
@debricked debricked bot mentioned this issue Jul 9, 2021
Open
@Svetlana-github Svetlana-github mentioned this issue May 16, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: 1 (critical) scope: ws(s) severity: 1 (security) type: bug
Projects
None yet
Milestone
3.1.11
Development

No branches or pull requests
7 participants
@rschultheis @kfern @alexander-akait @michael-ciniawsky @xhocquet @chromium1337 @yagoestevez