CVE-2026-9595

MEDIUM

webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

Title source: cna
STIX 2.1

Description

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in [email protected]. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

References (5)

Core 5

Scores

CVSS v3 5.3
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-346 CWE-441
Status published
Products (2)
webpack-dev-server/webpack-dev-server < 5.2.5
webpack-dev-server/webpack-dev-server 5.2.5
Published Jun 15, 2026
Tracked Since Jun 15, 2026