7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-14731

GHSA ID

GHSA-37q6-576q-vgr7

EPSS Score

0.29058%

CWE

CWE-200

Published

10/30/2018

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-14731

CVE-2018-14731: Missing Origin Validation in parcel-bundler

Versions of parcel-bundler before 1.10.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Recommendation

Update to version 1.10.0 or later.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-14731

GHSA ID

GHSA-37q6-576q-vgr7

EPSS Score

0.29058%

CWE

CWE-200

Published

10/30/2018

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
parcel-bundler	npm	< 1.10.0	1.10.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from creating a WebSocket server without origin validation in the HMRServer constructor. The patch adds origin checks by conditionally setting the 'origin' property in websocketOptions when initializing WebSocket.Server. The pre-patch code directly instantiated WebSocket.Server with {server: this.server} without any origin restrictions, making the HMR websocket endpoint accessible from any origin.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `p*r**l-*un*l*r` ***or* *.**.* *r* missin* ori*in v*li**tion on t** w**so*k*t s*rv*r. T*is vuln*r**ility *llows * r*mot* *tt**k*r to st**l * **v*lop*r's sour** *o** ****us* t** ori*in o* r*qu*sts to t** w**so*k*t s*rv*r t**t is us** *or *

Reasoning

T** vuln*r**ility st*mm** *rom *r**tin* * `W**So*k*t` s*rv*r wit*out ori*in v*li**tion in t** `*MRS*rv*r` *onstru*tor. T** p*t** ***s ori*in ****ks *y *on*ition*lly s*ttin* t** 'ori*in' prop*rty in `w**so*k*tOptions` w**n initi*lizin* `W**So*k*t.S*rv

7.5

Basic Information

Concerned about an active attack path?

CVE-2018-14731: Missing Origin Validation in parcel-bundler

Recommendation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI