CVE-2025-30360 – Webpack-dev-server Cross-site WebSocket Hijacking Vulnerability

June 3, 2025

CVE ID : CVE-2025-30360

Published : June 3, 2025, 6:15 p.m. | 1 hour, 15 minutes ago

Description : webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users’ source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-30359 – Webpack-dev-server Cross-Site Scripting (XSS) and Prototype Pollution

Next Article CVE-2025-5510 – Shiyi-Blog Remote Server-Side Request Forgery (SSRF) Vulnerability

Highlights

CVE-2025-4843 – D-Link DCS-932L Stack-Based Buffer Overflow Vulnerability

May 17, 2025

CVE ID : CVE-2025-4843

Published : May 18, 2025, 12:15 a.m. | 31 minutes ago

Description : A vulnerability was found in D-Link DCS-932L 2.18.01. It has been classified as critical. This affects the function SubUPnPCSInit of the file /sbin/udev. The manipulation of the argument CameraName leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

BrowserStack launches Figma plugin for detecting accessibility issues in design phase

Parasoft brings agentic AI to service virtualization in latest release

Node.js vs. Python for Backend: 7 Reasons C-Level Leaders Choose Node.js Talent

Handling JavaScript Event Listeners With Parameters

I finally gave NotebookLM my full attention – and it really is a total game changer

Google Chrome for iOS now lets you switch between personal and work accounts

How the Trump administration changed AI: A timeline

Download your photos before AT&T shuts down its cloud storage service permanently

Laravel Live Denmark

Laravel Live Denmark

The July 2025 Laravel Worldwide Meetup is Today

Livewire Security Vulnerability

Galaxy Z Fold 7 review: Six years later — Samsung finally cracks the foldable code

Galaxy Z Fold 7 review: Six years later — Samsung finally cracks the foldable code

Halo and Half-Life combine in wild new mod, bringing two of my favorite games together in one — here’s how to play, and how it works

Surprise! The iconic Roblox ‘oof’ sound is back — the beloved meme makes “a comeback so good it hurts” after three years of licensing issues

CVE-2025-30360 – Webpack-dev-server Cross-site WebSocket Hijacking Vulnerability

UNC6148 Backdoors Fully-Patched SonicWall SMA 100 Series Devices with OVERSTEP Rootkit

Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access

CVE-2025-26168 – IXON VPN Client Local Privilege Escalation

Work 2.0: Emerging Workplace Trends Shaping the Future of Offices.

Tiny Screens, Big Impact

CVE-2025-4164 – PHPGurukul Employee Record Management System SQL Injection Vulnerability

CVE-2025-4843 – D-Link DCS-932L Stack-Based Buffer Overflow Vulnerability

CVE-2025-7396 – WolfSSL Curve25519 Blinding Support Vulnerability (Side-Channel Attack)

Microsoft pledges to train 1 million UK workers in AI by end of 2025

PoCGen: AI Tool Automates Exploit Generation for npm Vulnerabilities with LLMs

CVE-2025-30360 – Webpack-dev-server Cross-site WebSocket Hijacking Vulnerability

Related Posts