PatchSiren cyber security CVE debrief
CVE-2026-6402 Webpack.js CVE debrief
CVE-2026-6402 describes a cross-origin source code exposure issue in webpack-dev-server when it is served over a non-potentially trustworthy origin such as plain HTTP. A site visited by a developer can load the dev server’s bundled source as a script and read it across origins, potentially revealing application source code. The vendor fixed the issue in webpack-dev-server 5.2.4 by setting Cross-Origin-Resource-Policy: same-origin on responses.
- Vendor
- Webpack.js
- Product
- Webpack-Dev-Server
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-18
Who should care
Developers and teams using webpack-dev-server for local or shared development over HTTP, especially if the dev server is reachable on a guessable host and port. Security-conscious organizations should care if source code confidentiality matters during development or if developers may browse untrusted websites while the dev server is running.
Technical summary
According to the supplied description and NVD data, webpack-dev-server versions up to and including 5.2.3 were vulnerable because a previous protection depended on Sec-Fetch-Mode and Sec-Fetch-Site request headers. Browsers omit those headers for non-trustworthy origins, which allowed a malicious cross-origin site to request the bundled source as a script and read the response. The NVD record classifies the issue with CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N and CWE-749. Chromium-based browsers from Chrome 142 onward are noted as not affected due to local network access restrictions. The fixed release is webpack-dev-server 5.2.4 or later, which adds Cross-Origin-Resource-Policy: same-origin.
Defensive priority
Medium. The issue can expose source code and depends on a developer visiting an attacker-controlled site while running the dev server over HTTP, so it is not a broad remote compromise. However, source disclosure can still be sensitive and should be patched promptly in development environments.
Recommended defensive actions
- Upgrade webpack-dev-server to 5.2.4 or later.
- If immediate upgrading is not possible, avoid exposing the dev server over plain HTTP on guessable host/port combinations.
- Prefer trustworthy local development setups and restrict access to the dev server wherever practical.
- Be cautious about browsing untrusted sites while running webpack-dev-server on HTTP.
- Review whether development workflows rely on cross-origin access assumptions that may expose bundled source.
Evidence notes
All claims are grounded in the supplied CVE description, NVD metadata, and official vendor references. The NVD record marks the vulnerability as analyzed and provides the vulnerable version range ending before 5.2.4, the CVSS vector, and CWE-749. The supplied description states the root cause, the exploitation condition over non-potentially trustworthy origins, the Chrome 142 note, and the 5.2.4 fix using Cross-Origin-Resource-Policy: same-origin.
Official resources
-
CVE-2026-6402 CVE record
CVE.org
-
CVE-2026-6402 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
ce714d77-add3-4f53-aff5-83d477b104bb - Vendor Advisory
-
Mitigation or vendor reference
ce714d77-add3-4f53-aff5-83d477b104bb - Mitigation, Vendor Advisory
Publicly disclosed on 2026-05-12 per the supplied CVE and source timestamps.