{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-07-04T00:25:41.734","vulnerabilities":[{"cve":{"id":"CVE-2025-30360","sourceIdentifier":"security-advisories@github.com","published":"2025-06-03T18:15:25.410","lastModified":"2026-06-17T09:08:34.903","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue."},{"lang":"es","value":"webpack-dev-server permite a los usuarios usar webpack con un servidor de desarrollo que proporciona recarga en tiempo real. Antes de la versión 5.2.1, el código fuente de los usuarios de webpack-dev-server podía ser robado al acceder a un sitio web malicioso con un navegador que no fuera Chromium. El encabezado \"Origin\" se verifica para evitar el secuestro de WebSockets entre sitios, reportado por CVE-2018-14732. Sin embargo, webpack-dev-server siempre permite los encabezados \"Origin\" de direcciones IP. Esto permite que los sitios web que se sirven en direcciones IP se conecten a WebSockets. Un atacante puede obtener el código fuente mediante un método similar al utilizado para explotar CVE-2018-14732. La versión 5.2.1 incluye un parche para este problema."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"webpack","product":"webpack-dev-server","versions":[{"version":"< 5.2.1","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-06-03T17:57:51.255979Z","id":"CVE-2025-30360","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-346"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:webpack.js:webpack-dev-server:*:*:*:*:*:*:*:*","versionEndExcluding":"5.2.1","matchCriteriaId":"16C3C1AC-AB15-456C-831A-A7F07FE7B88C"}]}]}],"references":[{"url":"https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127","source":"security-advisories@github.com","tags":["Product"]},{"url":"https://github.com/webpack/webpack-dev-server/commit/5c9378bb01276357d7af208a0856ca2163db188e","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/webpack/webpack-dev-server/commit/72efaab83381a0e1c4914adf401cbd210b7de7eb","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}