Webpack Dev Server v4 Security Flaw (CVE-2025-30359) Exposes Source Code to Theft

A critical security vulnerability in the widely used webpack-dev-server tool allows malicious websites to steal the source code of applications running on a developer's local machine. The flaw, tracked as CVE-2025-30359, stems from the server's handling of classic script requests, which are not subject to the same-origin policy. This creates a direct path for an attacker to exfiltrate proprietary code simply by tricking a developer into visiting a malicious site while their local development server is active.

The vulnerability specifically affects webpack-dev-server versions prior to v5.0.0. The exploit mechanism is straightforward: an attacker can embed a script tag pointing to the developer's local server (e.g., `<script src="http://localhost:8080/main.js">`) within a malicious webpage. When a victim with an active local dev server visits that page, their browser will automatically make a request to `localhost:8080`, potentially sending the bundled application code—including unminified source—to the attacker's domain. This represents a significant risk for developers working on sensitive or proprietary projects, as it bypasses standard network isolation assumptions for localhost.

The maintainers of webpack-dev-server have addressed the issue in version 5.0.0. The primary mitigation is an immediate upgrade to the latest major version. This incident highlights a persistent class of security risks in development tooling, where local servers designed for convenience can inadvertently become vectors for intellectual property theft. It places urgent pressure on development teams to audit their dependency chains and apply this patch, as the window for exploitation is open whenever a developer is running the vulnerable server locally.