webpack-dev-server prior to 3.1.11 is vulnerable

MycroftAI / mimic-recording-studio

Mimic Recording Studio is a Docker-based application you can install to record voice samples, which can then be trained into a TTS voice with Mimic2

Apache License 2.0

496 stars 114 forks source link

webpack-dev-server prior to 3.1.11 is vulnerable #13

Closed KathyReid closed 5 years ago

KathyReid commented 5 years ago

CVE-2018-14732 https://nvd.nist.gov/vuln/detail/CVE-2018-14732 low severity Vulnerable versions: < 3.1.11 Patched version: 3.1.11

An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.11. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.

KathyReid commented 5 years ago

I'm an idiot, webpack isn't actually a dep of this project. https://github.com/MycroftAI/mimic-recording-studio/search?q=webpack&unscoped_q=webpack

Closing issue.