Description
An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/ connection from any origin.
Remediation
References
https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages
https://github.com/AgentME/browserify-hmr/issues/41
Related Vulnerabilities
CVE-2017-16215 Vulnerability in npm package sgqserve
CVE-2020-15156 Vulnerability in npm package nodebb-plugin-blog-comments
CVE-2021-27578 Vulnerability in maven package org.apache.zeppelin:zeppelin
CVE-2022-25908 Vulnerability in npm package create-choo-electron
CVE-2021-21391 Vulnerability in npm package ckeditor5-engine