CVE-2018-14730

HIGH

browserify-hmr < 0.4.0 - Unauthenticated Exposure of Sensitive Information via WebSocket Server

Title source: llm
STIX 2.1

Description

An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/ connection from any origin.

References (2)

Core 2
Core References
Third Party Advisory x_refsource_misc
https://github.com/AgentME/browserify-hmr/issues/41

Scores

CVSS v3 7.5
EPSS 0.0169
EPSS Percentile 74.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (2)
browserify-hot_module_replacement_project/browserify-hot_module_replacement
npm/browserify-hmr 0 - 0.4.0npm
Published Sep 21, 2018
Tracked Since Feb 18, 2026