Description
An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/ connection from any origin.
Remediation
References
https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages
https://github.com/AgentME/browserify-hmr/issues/41
Related Vulnerabilities
CVE-2020-2283 Vulnerability in maven package org.jenkins-ci.plugins:liquibase-runner
CVE-2010-1622 Vulnerability in maven package org.springframework:spring-beans
CVE-2021-23354 Vulnerability in npm package printf
CVE-2020-26302 Vulnerability in maven package org.webjars.bower:is_js
CVE-2021-46361 Vulnerability in maven package info.magnolia:magnolia-core