Denial of Service Vulnerability in Webpack Dev Server by Webpack
CVE-2026-14631

5.3MEDIUM

Key Information:

Vendor
CVE Published:
3 July 2026

What is CVE-2026-14631?

The webpack-dev-server, up to version 5.2.5, is susceptible to a Denial of Service vulnerability where a malformed Host header in a normal HTTP request or a malformed Origin header during a WebSocket upgrade can cause the Node.js process to terminate unexpectedly. This results in an interruption of the development server's availability. While this vulnerability does not compromise data confidentiality or allow code execution, it is crucial for developers to upgrade to webpack-dev-server version 5.2.6 or later to secure their development environments. It is also advisable to keep the server bound to localhost and not to expose it to untrusted networks to mitigate this risk.

Affected Version(s)

webpack-dev-server 0 < 5.2.6

webpack-dev-server 5.2.6

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Str1ckl4nd
bjohansebas
UlisesGascon
.