webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
Summary
| CVE | CVE-2026-9595 |
|---|---|
| State | PUBLISHED |
| Assigner | openjs |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-15 16:16:35 UTC |
| Updated | 2026-06-16 17:24:37 UTC |
| Description | Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in [email protected]. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required. |
Risk And Classification
Primary CVSS: v3.1 4.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
EPSS: 0.001630000 probability, percentile 0.057790000 (date 2026-06-23)
Problem Types: CWE-346 | CWE-441 | CWE-346 CWE-346: Origin Validation Error | CWE-441 CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
| 3.1 | ce714d77-add3-4f53-aff5-83d477b104bb | Secondary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| 3.1 | CNA | CVSS | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
LowCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Webpack.js | Webpack-dev-server | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Webpack-dev-server | Webpack-dev-server | affected 5.2.5 semver | Not specified |
| CNA | Webpack-dev-server | Webpack-dev-server | unaffected 5.2.5 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| cna.openjsf.org/security-advisories.html | ce714d77-add3-4f53-aff5-83d477b104bb | cna.openjsf.org | Vendor Advisory |
| github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3... | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | Mitigation, Vendor Advisory |
| github.com/facebook/create-react-app/pull/7444 | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | Issue Tracking, Patch |
| github.com/webpack/webpack-dev-server/pull/4316 | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | Issue Tracking, Patch |
| github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: bjohansebas (en)
CNA: UlisesGascon (en)
CNA: ajhyndman (en)
There are currently no legacy QID mappings associated with this CVE.