CVE-2018-14731: Missing Origin Validation in parcel-bundler
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.29058%
CWE
Published
10/30/2018
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
parcel-bundler | npm | < 1.10.0 | 1.10.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from creating a WebSocket
server without origin validation in the HMRServer
constructor. The patch adds origin checks by conditionally setting the 'origin' property in websocketOptions
when initializing WebSocket.Server
. The pre-patch code directly instantiated WebSocket.Server
with {server: this.server} without any origin restrictions, making the HMR
websocket
endpoint accessible from any origin.