CVE-2026-14620 Overview
CVE-2026-14620 is a Cross-Site Request Forgery [CWE-352] vulnerability in webpack-dev-server versions 5.2.5 and earlier. The dev server exposes two internal endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request. Neither endpoint verifies that the request originated from the dev server's own page. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin without user interaction beyond the visit itself. The issue is patched in webpack-dev-server 5.2.6.
Critical Impact
Attackers can open arbitrary local files in the developer's editor, including files outside the project root, and force repeated recompilations that degrade the developer's workstation.
Affected Products
- webpack-dev-server versions 5.2.5 and earlier
- Development environments running the vulnerable dev server locally
- Any project depending on webpack-dev-server transitively through build tooling
Discovery Timeline
- 2026-07-03 - CVE-2026-14620 published to NVD
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-14620
Vulnerability Analysis
The webpack-dev-server package binds to localhost during development and exposes internal HTTP endpoints used by its client runtime. Two of these endpoints accept unauthenticated GET requests and perform state-changing actions. The /webpack-dev-server/open-editor endpoint launches the developer's configured editor and opens a file specified in a query parameter. The /webpack-dev-server/invalidate endpoint forces the bundler to invalidate its cache and recompile.
Because both endpoints respond to simple GET requests, browsers treat them as safe cross-origin operations. A malicious page can embed an <img> tag or fetch call targeting http://localhost:<port>/webpack-dev-server/open-editor?file=<path> to trigger the action. No preflight request is generated, and no session token, Origin check, or SameSite cookie protection blocks the request.
Root Cause
The root cause is missing origin validation on state-changing endpoints. The server does not enforce a shared secret, verify the Origin or Referer header, or require a POST request with a CSRF token. Any process that can reach localhost on the dev server port can invoke these actions.
Attack Vector
An attacker hosts a page that issues requests to the well-known dev server port while the developer browses. Calling /webpack-dev-server/open-editor with an absolute path opens sensitive files, such as ~/.ssh/config or ~/.aws/credentials, in the developer's editor process. Repeated calls to /webpack-dev-server/invalidate force continuous recompilation, spawning editor processes and consuming CPU and memory on the workstation.
The vulnerability requires the developer to visit an attacker-controlled site while the dev server is running. Exploitation does not require authentication or credentials on the target machine. Refer to the GitHub Security Advisory GHSA-f5vj-f2hx-8m93 for the full technical writeup.
Detection Methods for CVE-2026-14620
Indicators of Compromise
- Unexpected editor windows opening files outside the current project root during a browsing session
- Cross-origin HTTP requests in browser developer tools targeting localhost paths under /webpack-dev-server/
- Repeated webpack recompilation events in the terminal without corresponding source file changes
- Spikes in CPU or memory usage from node or editor processes while a browser tab is active
Detection Strategies
- Inspect package.json and lockfiles across repositories for webpack-dev-server versions at or below 5.2.5
- Enable browser network logging during development to flag cross-origin traffic to localhost dev ports
- Review shell history and editor logs for files opened outside expected project directories
Monitoring Recommendations
- Track process creation events for editor binaries spawned by node parent processes on developer workstations
- Alert on inbound connections to loopback dev server ports from browser processes rendering non-localhost origins
- Correlate webpack-dev-server stdout invalidation messages with the absence of local filesystem write events
How to Mitigate CVE-2026-14620
Immediate Actions Required
- Upgrade webpack-dev-server to version 5.2.6 or later in every project that includes it as a direct or transitive dependency
- Audit lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) to confirm the patched version resolves at runtime
- Restart any running dev server instances after upgrading to load the patched code
- Instruct developers to stop the dev server when not actively coding
Patch Information
The maintainers released webpack-dev-server 5.2.6, which adds origin verification to the affected endpoints. Details are available in the GitHub Security Advisory GHSA-f5vj-f2hx-8m93 and the OpenJS Foundation Security Advisories.
Workarounds
- No official workarounds exist. Upgrade to webpack-dev-server 5.2.6
- As a defense-in-depth measure, bind the dev server to a non-default port and restrict browsing activity while it runs
- Consider running the dev server inside an isolated container or virtual machine that does not have access to sensitive user files
# Upgrade webpack-dev-server to the patched version
npm install --save-dev webpack-dev-server@^5.2.6
# Verify the resolved version
npm ls webpack-dev-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

