5.3

CVE-2026-9595

webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).

Patches: Fixed in webpack-dev-server@5.2.5.

Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Webpack.JsWebpack-dev-server Version < 5.2.5
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.16% 0.058
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
ce714d77-add3-4f53-aff5-83d477b104bb 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

https://cna.openjsf.org/security-advisories.html
Vendor Advisory
https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79
Vendor Advisory
Mitigation
https://github.com/webpack/webpack-dev-server/pull/4316
Patch
Issue Tracking
https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb
Patch
https://github.com/facebook/create-react-app/pull/7444
Patch
Issue Tracking