search

gsthina / cw

Countries in our World - I know that you are a pro. Let's see how pro you are than others! Add players before you play.
0 stars 0 forks source link

webpack-dev-server version security alert #1

Open gsthina opened 5 years ago

gsthina commented 5 years ago

Remediation Upgrade webpack-dev-server to version 3.1.11 or later. For example:

"dependencies": { "webpack-dev-server": ">=3.1.11" } or… "devDependencies": { "webpack-dev-server": ">=3.1.11" } Always verify the validity and compatibility of suggestions with your codebase.

CVE-2018-14732 More information low severity Vulnerable versions: < 3.1.11 Patched version: 3.1.11 An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.11. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.

akkijason commented 5 years ago

I am facing the same issue :(

gsthina commented 5 years ago

Hi @akkijason,

Did you manage to upgrade the webpack-dev-server to the Patched version: 3.1.11 ??

Please let me know how it works.

Thanks in advance, Thina