5.3
CVE-2026-9595
- EPSS 0.16%
- Veröffentlicht 15.06.2026 15:00:21
- Zuletzt bearbeitet 16.06.2026 17:24:37
- Quelle ce714d77-add3-4f53-aff5-83d477
- CVE-Watchlists
- Unerledigt
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in webpack-dev-server@5.2.5. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Webpack.Js ≫ Webpack-dev-server Version < 5.2.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.16% | 0.058 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
|
| ce714d77-add3-4f53-aff5-83d477b104bb | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
|
CWE-346 Origin Validation Error
The product does not properly verify that the source of data or communication is valid.
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')
The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
https://cna.openjsf.org/security-advisories.html
https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79
https://github.com/webpack/webpack-dev-server/pull/4316
https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb
https://github.com/facebook/create-react-app/pull/7444