CVE-2026-14620 webpack-dev-server vulnerability
webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin with no interaction beyond the visit. An attacker can open an arbitrary existing local file in the developer's editor, including files outside the project root, and repeated requests can spawn editor processes and force recompilations that degrade the developer's machine. Patches: upgrade to webpack-dev-server 5.2.6. Workarounds: none.
Quick answer
webpack.js webpack-dev-server should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- 5.2.5 and earlier
Fixed versions
- 5.2.6
How to fix it
CVE-2026-14620 affects webpack-dev-server. It can let a remote page or request crash the dev server or trigger unsafe developer actions. Upgrade to 5.2.6 and keep dev servers off untrusted networks.
- Find projects that depend on webpack-dev-server.
- Check package-lock, yarn.lock, pnpm-lock, and package.json versions.
- Upgrade webpack-dev-server to 5.2.6 or newer.
- Reinstall dependencies and commit the lockfile change.
- Keep the dev server bound to localhost unless a trusted tunnel is required.
- Do not expose dev servers to the internet or shared office networks.
- Restart the dev server after the package update.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Run npm ls webpack-dev-server and confirm 5.2.6 or newer.
- Confirm the lockfile no longer resolves to an older version.
- Start the dev server and confirm it binds only to localhost.
- Retest the development workflow after the update.
- Record the package version and lockfile change as evidence.
Trusted references
FAQ
What is affected by CVE-2026-14620?
webpack.js webpack-dev-server versions listed as affected should be reviewed: 5.2.5 and earlier.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
How are Fixnx security risk categories chosen?
Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.
