Miggo Logo

CVE-2018-14731: Missing Origin Validation in parcel-bundler

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.29058%
Published
10/30/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
parcel-bundlernpm< 1.10.01.10.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from creating a WebSocket server without origin validation in the HMRServer constructor. The patch adds origin checks by conditionally setting the 'origin' property in websocketOptions when initializing WebSocket.Server. The pre-patch code directly instantiated WebSocket.Server with {server: this.server} without any origin restrictions, making the HMR websocket endpoint accessible from any origin.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `p*r**l-*un*l*r` ***or* *.**.* *r* missin* ori*in v*li**tion on t** w**so*k*t s*rv*r. T*is vuln*r**ility *llows * r*mot* *tt**k*r to st**l * **v*lop*r's sour** *o** ****us* t** ori*in o* r*qu*sts to t** w**so*k*t s*rv*r t**t is us** *or *

Reasoning

T** vuln*r**ility st*mm** *rom *r**tin* * `W**So*k*t` s*rv*r wit*out ori*in v*li**tion in t** `*MRS*rv*r` *onstru*tor. T** p*t** ***s ori*in ****ks *y *on*ition*lly s*ttin* t** 'ori*in' prop*rty in `w**so*k*tOptions` w**n initi*lizin* `W**So*k*t.S*rv