CVE-2026-14631
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk23th percentile — higher than 23% of all known CVEs
Summary
A vulnerability in webpack-dev-server versions 5.2.5 and earlier terminates the Node.js process when an unauthenticated peer sends a normal HTTP request with a malformed Host header or a WebSocket upgrade with a malformed Origin header. The malformed value causes an uncaught exception in the host-validation path and crashes the dev server.
Risk Assessment
The risk is limited to availability of the development server, potentially disrupting the software development process. No data disclosure or code execution is possible.
Recommendation
Upgrade to webpack-dev-server version 5.2.6. As a workaround, keep the dev server bound to localhost (the default) and do not expose it to untrusted networks.
Original NVD description (English source)
webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malformed Origin header. The malformed value causes an uncaught exception in the host-validation path and crashes the dev server. Impact is limited to availability of the development server, no data disclosure, no code execution. Patches: upgrade to webpack-dev-server 5.2.6. Workarounds: keep the dev server bound to localhost (the default) and do not expose it to untrusted networks.

