Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-9595

Summary
Assigner-openjs
Assigner Org ID-ce714d77-add3-4f53-aff5-83d477b104bb
Published At-15 Jun, 2026 | 15:00
Updated At-15 Jun, 2026 | 16:08
Rejected At-
Credits

webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in webpack-dev-server@5.2.5. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:openjs
Assigner Org ID:ce714d77-add3-4f53-aff5-83d477b104bb
Published At:15 Jun, 2026 | 15:00
Updated At:15 Jun, 2026 | 16:08
Rejected At:
▼CVE Numbering Authority (CNA)
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in webpack-dev-server@5.2.5. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

Affected Products
Vendor
webpack-dev-server
Product
webpack-dev-server
Default Status
unaffected
Versions
Affected
  • From 0 before 5.2.5 (semver)
Unaffected
  • 5.2.5 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-346CWE-346: Origin Validation Error
CWECWE-441CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
Type: CWE
CWE ID: CWE-346
Description: CWE-346: Origin Validation Error
Type: CWE
CWE ID: CWE-441
Description: CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

coordinator
bjohansebas
analyst
UlisesGascon
remediation developer
ajhyndman
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79
N/A
https://cna.openjsf.org/security-advisories.html
N/A
https://github.com/webpack/webpack-dev-server/pull/4316
N/A
https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb
N/A
https://github.com/facebook/create-react-app/pull/7444
N/A
Hyperlink: https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79
Resource: N/A
Hyperlink: https://cna.openjsf.org/security-advisories.html
Resource: N/A
Hyperlink: https://github.com/webpack/webpack-dev-server/pull/4316
Resource: N/A
Hyperlink: https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb
Resource: N/A
Hyperlink: https://github.com/facebook/create-react-app/pull/7444
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:ce714d77-add3-4f53-aff5-83d477b104bb
Published At:15 Jun, 2026 | 16:16
Updated At:15 Jun, 2026 | 21:09

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in webpack-dev-server@5.2.5. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-346Secondaryce714d77-add3-4f53-aff5-83d477b104bb
CWE-441Secondaryce714d77-add3-4f53-aff5-83d477b104bb
CWE ID: CWE-346
Type: Secondary
Source: ce714d77-add3-4f53-aff5-83d477b104bb
CWE ID: CWE-441
Type: Secondary
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://cna.openjsf.org/security-advisories.htmlce714d77-add3-4f53-aff5-83d477b104bb
N/A
https://github.com/facebook/create-react-app/pull/7444ce714d77-add3-4f53-aff5-83d477b104bb
N/A
https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcbce714d77-add3-4f53-aff5-83d477b104bb
N/A
https://github.com/webpack/webpack-dev-server/pull/4316ce714d77-add3-4f53-aff5-83d477b104bb
N/A
https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79ce714d77-add3-4f53-aff5-83d477b104bb
N/A
Hyperlink: https://cna.openjsf.org/security-advisories.html
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Resource: N/A
Hyperlink: https://github.com/facebook/create-react-app/pull/7444
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Resource: N/A
Hyperlink: https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Resource: N/A
Hyperlink: https://github.com/webpack/webpack-dev-server/pull/4316
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Resource: N/A
Hyperlink: https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1Records found

CVE-2026-14631
Matching Score-8
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
ShareView Details
Matching Score-8
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-03 Jul, 2026 | 17:23
Updated-03 Jul, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
webpack-dev-server vulnerable to denial of service via a malformed Host or Origin header

webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malformed Origin header. The malformed value causes an uncaught exception in the host-validation path and crashes the dev server. Impact is limited to availability of the development server, no data disclosure, no code execution. Patches: upgrade to webpack-dev-server 5.2.6. Workarounds: keep the dev server bound to localhost (the default) and do not expose it to untrusted networks.

Action-Not Available
Vendor-webpack-dev-server
Product-webpack-dev-server
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-248
Uncaught Exception
Details not found