chore(deps): update dependency webpack-dev-server to v5.2.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
webpack-dev-server	5.2.3 → 5.2.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins

CVE-2026-6402 / GHSA-79cf-xcqc-c78w

More information

Details

Impact

When webpack-dev-server is running on a non-HTTPS origin (the default), cross-origin requests from malicious websites can load the dev server's JavaScript bundles via <script> tags. The fix introduced in v5.2.1 (CVE-2025-30359) relied on Sec-Fetch-Mode and Sec-Fetch-Site request headers to block these requests, but browsers only send these headers for potentially trustworthy origins. Over plain HTTP, the headers are absent and the check is bypassed.

An attacker who knows the dev server's host, port, and output path can exfiltrate all module source code by intercepting the webpack runtime's module registration.

This does not affect Chrome 142+ (and other Chromium-based browsers) due to local network access restrictions.

Patches

Patched in webpack-dev-server >= 5.2.4 by setting Cross-Origin-Resource-Policy: same-origin on responses.

Workarounds

Run the dev server with HTTPS enabled (--https or server.type: 'https' in config).

Resources

• GHSA-4v9v-hfq4-rm2v (CVE-2025-30359) - original vulnerability
• GHSA-9jgg-88mc-972h (CVE-2025-30360) - prior bypass

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

• https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v
• https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78w
• https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h
• https://nvd.nist.gov/vuln/detail/CVE-2026-6402
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-79cf-xcqc-c78w

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

CVE-2026-9595 / GHSA-mx8g-39q3-5c79

More information

Details

Impact

When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).

Patches

Fixed in webpack-dev-server 5.2.5.

Workarounds

Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79
• https://nvd.nist.gov/vuln/detail/CVE-2026-9595
• https://github.com/facebook/create-react-app/pull/7444
• https://github.com/webpack/webpack-dev-server/pull/4316
• https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-mx8g-39q3-5c79

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

webpack/webpack-dev-server (webpack-dev-server)

v5.2.5

Compare Source

Patch Changes

• Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #​5680)

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

5.2.4 (2026-05-11)

Bug Fixes

• set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

5.2.3 (2026-01-12)

Bug Fixes

• add cause for errorObject (#​5518) (37b033d)
• compatibility with event target and universal target and lazy compilation (574026c)
• overlay: add ESC key to dismiss overlay (#​5598) (f91baa8)
• progress indicator styles (#​5557) (41a53a1)
• upgrade selfsigned to v5

5.2.2 (2025-06-03)

Bug Fixes

• "Overlay enabled" false positive (18e72ee)
• do not crush when error is null for runtime errors (#​5447) (309991f)
• remove unnecessary header X_TEST (#​5451) (64a6124)
• respect the allowedHosts option for cross-origin header check (#​5510) (03d1214)

v5.2.4

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.