webpack-dev-server-5.2.2.tgz: 3 vulnerabilities (highest severity is: 5.8) #1624
Description
Vulnerable Library - webpack-dev-server-5.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (webpack-dev-server version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-13466 |  Medium |
5.8 | body-parser-1.20.3.tgz | Transitive | N/A* | ❌ |
| CVE-2024-4067 | Medium |
5.3 | micromatch-4.0.2.tgz | Transitive | N/A* | ❌ |
| CVE-2025-7339 |  Low |
3.4 | on-headers-1.0.2.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-13466
Vulnerable Library - body-parser-1.20.3.tgz
Node.js body parsing middleware
Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.20.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- webpack-dev-server-5.2.2.tgz (Root Library)
- express-4.21.2.tgz
- ❌ body-parser-1.20.3.tgz (Vulnerable Library)
- express-4.21.2.tgz
Found in base branch: main
Vulnerability Details
body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic.
This issue is addressed in version 2.2.1.
Publish Date: 2025-11-24
URL: CVE-2025-13466
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2025-11-24
Fix Resolution: https://github.com/expressjs/body-parser.git - v2.2.1,body-parser - 2.2.1
CVE-2024-4067
Vulnerable Library - micromatch-4.0.2.tgz
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- webpack-dev-server-5.2.2.tgz (Root Library)
- http-proxy-middleware-2.0.9.tgz
- ❌ micromatch-4.0.2.tgz (Vulnerable Library)
- http-proxy-middleware-2.0.9.tgz
Found in base branch: main
Vulnerability Details
The NPM package "micromatch" prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in "micromatch.braces()" in "index.js" because the pattern ".*" will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8. After conducting a further research, it was concluded that CVE-2024-4067 should not reflect the security risk score in NVD, but will be kept for users' awareness.
Publish Date: 2024-05-13
URL: CVE-2024-4067
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-13
Fix Resolution: micromatch - 4.0.8
CVE-2025-7339
Vulnerable Library - on-headers-1.0.2.tgz
Execute a listener when a response is about to write headers
Library home page: https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- webpack-dev-server-5.2.2.tgz (Root Library)
- compression-1.7.4.tgz
- ❌ on-headers-1.0.2.tgz (Vulnerable Library)
- compression-1.7.4.tgz
Found in base branch: main
Vulnerability Details
on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions "<1.1.0" may result in response headers being inadvertently modified when an array is passed to "response.writeHead()". Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to "1.1.0", but this issue can be worked around by passing an object to "response.writeHead()" rather than an array.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-17
URL: CVE-2025-7339
CVSS 3 Score Details (3.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-76c9-3jph-rj3q
Release Date: 2025-07-17
Fix Resolution: on-headers - 1.1.0,https://github.com/jshttp/on-headers.git - v1.1.0