Webpack-dev-server: A vulnerability found in webpack-dev-server

@chromium1337 It is problem in dependencies or in webpack-dev-server code?

@evilebottnawi It's in webpack-dev-server code, not dependencies.

@chromium1337 please send details to sheo13666q @ gmail . com

Hi,
Not sure if it's the same vulnerability. I was just warn by NPM about these vulnerabilities which webpack-dev-server depends on:

👋 Hi I am looking at this issue as it seems to relate to these security advisories:

• https://nvd.nist.gov/vuln/detail/CVE-2018-14732
• https://www.npmjs.com/advisories/725

As far as I can tell, the fix commit has not made it to master nor been released? Both the NPM Advisory and CVE report a fix version of 3.1.6, but nothing in 3.1.6 release looks like the fix for this? The bugfix/origin-header branch needs a PR and to get merged and deployed.

Am I mistaken or has the fix for this not really been deployed?

This package is widely used so I am looking at this from the perspective of making sure the public data sources are correct.

CC fix commit author @sokra

this package should be used only for development purpose, so it is not very high priority

Done in [email protected]

@evilebottnawi Could you please advise the state of this vulnerability in webpack-dev-server 2.11.3? Is this vulnerability present, and if so is there a possibility of adding this patch as a security update?

In webpack-dev-server 2.11.3, npm audit found 1 high severity vulnerability.
+1 @xhocquet . We need a 2.x security update patch.