Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14620

CVE-2026-14620: Webpack-dev-server CSRF Vulnerability

CVE-2026-14620 is a CSRF vulnerability in Webpack-dev-server that allows attackers to trigger internal endpoints cross-origin, opening arbitrary local files and forcing recompilations. This post covers affected versions, impact, and mitigation.

Published:

CVE-2026-14620 Overview

CVE-2026-14620 is a Cross-Site Request Forgery [CWE-352] vulnerability in webpack-dev-server versions 5.2.5 and earlier. The dev server exposes two internal endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request. Neither endpoint verifies that the request originated from the dev server's own page. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin without user interaction beyond the visit itself. The issue is patched in webpack-dev-server 5.2.6.

Critical Impact

Attackers can open arbitrary local files in the developer's editor, including files outside the project root, and force repeated recompilations that degrade the developer's workstation.

Affected Products

  • webpack-dev-server versions 5.2.5 and earlier
  • Development environments running the vulnerable dev server locally
  • Any project depending on webpack-dev-server transitively through build tooling

Discovery Timeline

  • 2026-07-03 - CVE-2026-14620 published to NVD
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2026-14620

Vulnerability Analysis

The webpack-dev-server package binds to localhost during development and exposes internal HTTP endpoints used by its client runtime. Two of these endpoints accept unauthenticated GET requests and perform state-changing actions. The /webpack-dev-server/open-editor endpoint launches the developer's configured editor and opens a file specified in a query parameter. The /webpack-dev-server/invalidate endpoint forces the bundler to invalidate its cache and recompile.

Because both endpoints respond to simple GET requests, browsers treat them as safe cross-origin operations. A malicious page can embed an <img> tag or fetch call targeting http://localhost:<port>/webpack-dev-server/open-editor?file=<path> to trigger the action. No preflight request is generated, and no session token, Origin check, or SameSite cookie protection blocks the request.

Root Cause

The root cause is missing origin validation on state-changing endpoints. The server does not enforce a shared secret, verify the Origin or Referer header, or require a POST request with a CSRF token. Any process that can reach localhost on the dev server port can invoke these actions.

Attack Vector

An attacker hosts a page that issues requests to the well-known dev server port while the developer browses. Calling /webpack-dev-server/open-editor with an absolute path opens sensitive files, such as ~/.ssh/config or ~/.aws/credentials, in the developer's editor process. Repeated calls to /webpack-dev-server/invalidate force continuous recompilation, spawning editor processes and consuming CPU and memory on the workstation.

The vulnerability requires the developer to visit an attacker-controlled site while the dev server is running. Exploitation does not require authentication or credentials on the target machine. Refer to the GitHub Security Advisory GHSA-f5vj-f2hx-8m93 for the full technical writeup.

Detection Methods for CVE-2026-14620

Indicators of Compromise

  • Unexpected editor windows opening files outside the current project root during a browsing session
  • Cross-origin HTTP requests in browser developer tools targeting localhost paths under /webpack-dev-server/
  • Repeated webpack recompilation events in the terminal without corresponding source file changes
  • Spikes in CPU or memory usage from node or editor processes while a browser tab is active

Detection Strategies

  • Inspect package.json and lockfiles across repositories for webpack-dev-server versions at or below 5.2.5
  • Enable browser network logging during development to flag cross-origin traffic to localhost dev ports
  • Review shell history and editor logs for files opened outside expected project directories

Monitoring Recommendations

  • Track process creation events for editor binaries spawned by node parent processes on developer workstations
  • Alert on inbound connections to loopback dev server ports from browser processes rendering non-localhost origins
  • Correlate webpack-dev-server stdout invalidation messages with the absence of local filesystem write events

How to Mitigate CVE-2026-14620

Immediate Actions Required

  • Upgrade webpack-dev-server to version 5.2.6 or later in every project that includes it as a direct or transitive dependency
  • Audit lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) to confirm the patched version resolves at runtime
  • Restart any running dev server instances after upgrading to load the patched code
  • Instruct developers to stop the dev server when not actively coding

Patch Information

The maintainers released webpack-dev-server 5.2.6, which adds origin verification to the affected endpoints. Details are available in the GitHub Security Advisory GHSA-f5vj-f2hx-8m93 and the OpenJS Foundation Security Advisories.

Workarounds

  • No official workarounds exist. Upgrade to webpack-dev-server 5.2.6
  • As a defense-in-depth measure, bind the dev server to a non-default port and restrict browsing activity while it runs
  • Consider running the dev server inside an isolated container or virtual machine that does not have access to sensitive user files
bash
# Upgrade webpack-dev-server to the patched version
npm install --save-dev webpack-dev-server@^5.2.6

# Verify the resolved version
npm ls webpack-dev-server

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.