Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2018-14730 Vulnerability in npm package browserify-hmr

Description

An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/ connection from any origin.

Remediation

References

https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages

https://github.com/AgentME/browserify-hmr/issues/41

Related Vulnerabilities

CVE-2021-44906 Vulnerability in npm package minimist

CVE-2020-6428 Vulnerability in maven package org.webjars.npm:electron

CVE-2023-49395 Vulnerability in maven package com.jfinal:jfinal

CVE-2018-3721 Vulnerability in maven package org.webjars.bower:lodash

CVE-2018-5673 Vulnerability in maven package org.webjars.bower:dojo

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Exploit Third Party Advisory