Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-9595
PUBLISHED
More InfoOfficial Page
Assigner-openjs
Assigner Org ID-ce714d77-add3-4f53-aff5-83d477b104bb
View Known Exploited Vulnerability (KEV) details
Published At-15 Jun, 2026 | 15:00
Updated At-15 Jun, 2026 | 16:08
Rejected At-
▼CVE Numbering Authority (CNA)
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in webpack-dev-server@5.2.5. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

Affected Products
Vendor
webpack-dev-server
Product
webpack-dev-server
Default Status
unaffected
Versions
Affected
  • From 0 before 5.2.5 (semver)
Unaffected
  • 5.2.5 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-346CWE-346: Origin Validation Error
CWECWE-441CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
Type: CWE
CWE ID: CWE-346
Description: CWE-346: Origin Validation Error
Type: CWE
CWE ID: CWE-441
Description: CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

coordinator
bjohansebas
analyst
UlisesGascon
remediation developer
ajhyndman
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79
N/A
https://cna.openjsf.org/security-advisories.html
N/A
https://github.com/webpack/webpack-dev-server/pull/4316
N/A
https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb
N/A
https://github.com/facebook/create-react-app/pull/7444
N/A
Hyperlink: https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79
Resource: N/A
Hyperlink: https://cna.openjsf.org/security-advisories.html
Resource: N/A
Hyperlink: https://github.com/webpack/webpack-dev-server/pull/4316
Resource: N/A
Hyperlink: https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb
Resource: N/A
Hyperlink: https://github.com/facebook/create-react-app/pull/7444
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Details not found