Denial of Service Vulnerability in Webpack Dev Server by Webpack
CVE-2026-14631
5.3MEDIUM
What is CVE-2026-14631?
The webpack-dev-server, up to version 5.2.5, is susceptible to a Denial of Service vulnerability where a malformed Host header in a normal HTTP request or a malformed Origin header during a WebSocket upgrade can cause the Node.js process to terminate unexpectedly. This results in an interruption of the development server's availability. While this vulnerability does not compromise data confidentiality or allow code execution, it is crucial for developers to upgrade to webpack-dev-server version 5.2.6 or later to secure their development environments. It is also advisable to keep the server bound to localhost and not to expose it to untrusted networks to mitigate this risk.
Affected Version(s)
webpack-dev-server 0 < 5.2.6
webpack-dev-server 5.2.6
