CVE-2018-14730
HIGHbrowserify-hmr < 0.4.0 - Unauthenticated Exposure of Sensitive Information via WebSocket Server
Title source: llmDescription
An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/ connection from any origin.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://github.com/AgentME/browserify-hmr/issues/41
Exploit, Third Party Advisory x_refsource_misc
https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages
Scores
CVSS v3
7.5
EPSS
0.0169
EPSS Percentile
74.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (2)
browserify-hot_module_replacement_project/browserify-hot_module_replacement
npm/browserify-hmr
0 - 0.4.0npm
Published
Sep 21, 2018
Tracked Since
Feb 18, 2026