CVE-2026-14631 PUBLISHED

webpack-dev-server vulnerable to denial of service via a malformed Host or Origin header

Assigner: openjs
Reserved: 03.07.2026 Published: 03.07.2026 Updated: 03.07.2026

webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malformed Origin header. The malformed value causes an uncaught exception in the host-validation path and crashes the dev server. Impact is limited to availability of the development server, no data disclosure, no code execution. Patches: upgrade to webpack-dev-server 5.2.6. Workarounds: keep the dev server bound to localhost (the default) and do not expose it to untrusted networks.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS Score: 5.3

Product Status

Vendor webpack-dev-server
Product webpack-dev-server
Versions Default: unaffected
  • affected from 0 to 5.2.6 (excl.)
  • Version 5.2.6 is unaffected

Credits

  • Str1ckl4nd reporter
  • bjohansebas coordinator
  • UlisesGascon analyst

References

Problem Types

  • CWE-20: Improper Input Validation CWE
  • CWE-248: Uncaught Exception CWE