webpack-dev-server vulnerable to cross-site request forgery via internal developer endpoints
Summary
| CVE | CVE-2026-14620 |
|---|---|
| State | PUBLISHED |
| Assigner | openjs |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-03 17:16:53 UTC |
| Updated | 2026-07-07 15:12:43 UTC |
| Description | webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin with no interaction beyond the visit. An attacker can open an arbitrary existing local file in the developer's editor, including files outside the project root, and repeated requests can spawn editor processes and force recompilations that degrade the developer's machine. Patches: upgrade to webpack-dev-server 5.2.6. Workarounds: none. |
Risk And Classification
Primary CVSS: v3.1 4.7 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
EPSS: 0.001160000 probability, percentile 0.018730000 (date 2026-07-06)
Problem Types: CWE-352 | CWE-749 | CWE-352 CWE-352: Cross-Site Request Forgery (CSRF) | CWE-749 CWE-749: Exposed Dangerous Method or Function
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L |
| 3.1 | ce714d77-add3-4f53-aff5-83d477b104bb | Secondary | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L |
| 3.1 | CNA | CVSS | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
ChangedConfidentiality
NoneIntegrity
NoneAvailability
LowCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Webpack.js | Webpack-dev-server | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Webpack-dev-server | Webpack-dev-server | affected 5.2.6 semver | Not specified |
| CNA | Webpack-dev-server | Webpack-dev-server | unaffected 5.2.6 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| cna.openjsf.org/security-advisories.html | ce714d77-add3-4f53-aff5-83d477b104bb | cna.openjsf.org | Third Party Advisory |
| github.com/webpack/webpack-dev-server/security/advisories/GHSA-f5vj-f2hx... | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | Patch, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Pig-Tail (en)
CNA: bjohansebas (en)
CNA: UlisesGascon (en)
There are currently no legacy QID mappings associated with this CVE.