Backport security fix from v5.2.1 to version-4 (non-Chromium browser dev-server vulnerability) by Wajih-Ul-Hasan · Pull Request #5534

Backport security fix from v5.2.1 to version-4 (non-Chromium browser dev-server vulnerability) by Wajih-Ul-Hasan · Pull Request #5534 · webpack/webpack-dev-server

Summary

Backported the security patch from v5.2.1 to the version-4 branch to prevent dev client injection into unauthorized or potentially malicious browsers via the /webpack-dev-server route.

What This Fixes

Prevents exposure of dev asset listings and client scripts to untrusted sources
Implements a header-based access control mechanism instead of relying on insecure User-Agent detection

Context

Relevant to: #5313
Inspired by: #5315 (official v5.2.1 patch)

Since react-scripts@5.0.1 depends on webpack-dev-server@4.x, and upgrading to v5 is not always viable for projects in production, this patch brings essential security hardening to the v4 codebase.

Implementation Details

Introduced isTrustedClient() helper to verify presence of webpack-dev-server-client header
/webpack-dev-server route now denies access (403) if the required header is missing
Patch mirrors the core logic used in v5.2.1, but adapted to v4’s Express-based routing
Clean, isolated backport to avoid impact on unrelated parts of the server

Thanks for considering this backport 🙏
Happy to adjust based on any review feedback.