webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).

Patches: Fixed in [email protected].

Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

Basic Information

ID CVE-2026-9595

Source openjs

Published Jun 15, 2026 at 15:00

Affected Product

Vendor webpack-dev-server

Product webpack-dev-server

Affected Versions webpack-dev-server webpack-dev-server 0

CWE Classification

CWE-346 CWE-441

References

{
    "lastseen": "",
    "description": "Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).\n\nPatches: Fixed in [email protected].\n\nWorkarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.",
    "published": "2026-06-15T15:00:21.488Z",
    "modified": "2026-06-15T15:00:21.488Z",
    "type": "cve",
    "title": "webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies",
    "source": "openjs",
    "references": "https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79\nhttps://cna.openjsf.org/security-advisories.html\nhttps://github.com/webpack/webpack-dev-server/pull/4316\nhttps://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb\nhttps://github.com/facebook/create-react-app/pull/7444",
    "id": "CVE-2026-9595",
    "bulletinFamily": "",
    "cwe": [
        "CWE-346",
        "CWE-441"
    ],
    "cvelist": null,
    "sourceData": "webpack-dev-server webpack-dev-server 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "webpack-dev-server",
    "version": "0",
    "vendor": "webpack-dev-server",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies_CVE-2026-9595