mediumCVE-2026-14631

CVE-2026-14631 webpack-dev-server vulnerability

webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malformed Origin header. The malformed value causes an uncaught exception in the host-validation path and crashes the dev server. Impact is limited to availability of the development server, no data disclosure, no code execution. Patches: upgrade to webpack-dev-server 5.2.6. Workarounds: keep the dev server bound to localhost (the default) and do not expose it to untrusted networks.

Productwebpack-dev-server
CVSS5.3
EPSSNot scored yet
UpdatedJuly 14, 2026

Quick answer

webpack.js webpack-dev-server should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • 5.2.5 and earlier

Fixed versions

  • 5.2.6

How to fix it

CVE-2026-14631 affects webpack-dev-server. It can let a remote page or request crash the dev server or trigger unsafe developer actions. Upgrade to 5.2.6 and keep dev servers off untrusted networks.

  1. Find projects that depend on webpack-dev-server.
  2. Check package-lock, yarn.lock, pnpm-lock, and package.json versions.
  3. Upgrade webpack-dev-server to 5.2.6 or newer.
  4. Reinstall dependencies and commit the lockfile change.
  5. Keep the dev server bound to localhost unless a trusted tunnel is required.
  6. Do not expose dev servers to the internet or shared office networks.
  7. Restart the dev server after the package update.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Run npm ls webpack-dev-server and confirm 5.2.6 or newer.
  • Confirm the lockfile no longer resolves to an older version.
  • Start the dev server and confirm it binds only to localhost.
  • Retest the development workflow after the update.
  • Record the package version and lockfile change as evidence.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-14631?

webpack.js webpack-dev-server versions listed as affected should be reviewed: 5.2.5 and earlier.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.