-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability is an Origin Validation Error (CWE-346) in the Parcel development server. The root cause is a failure to properly validate the Origin and Host headers of incoming HTTP and WebSocket requests. This allowed any website to interact with the local development server, violating the same-origin policy.
The analysis of the patch commit 4bc56e3242a85491c7edf589966e9b44c6330c49 reveals three key areas of weakness that were addressed:
Insecure CORS Configuration: The setHeaders function in packages/reporters/dev-server/src/Server.js unconditionally set Access-Control-Allow-Origin: *. This allowed any origin to make cross-origin requests and read the response, which is how a malicious site could steal source code.
Missing Host Header Validation: The main server middleware in Server.start did not validate the Host header, making it susceptible to DNS rebinding attacks. This provided another vector for bypassing browser security controls.
Cross-Site WebSocket Hijacking (CSWH): The HMRServer.start method created a WebSocket server without validating the origin of incoming connections. This allowed any website to establish a persistent WebSocket connection to the development server.
The identified vulnerable functions are the ones that were directly responsible for these security lapses. During an exploit, setHeaders would be called to generate the permissive CORS headers, and the lack of validation in Server.start and HMRServer.start would allow the malicious requests to be processed in the first place.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @parcel/reporter-dev-server | npm | <= 2.14.4 |
Ongoing coverage of React2Shell