CVE-2026-9595

5.3 MEDIUM
Published: June 15, 2026 Modified: June 15, 2026
View on NVD

Description

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in webpack-dev-server@5.2.5. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://cna.openjsf.org/security-advisories.html
Source: ce714d77-add3-4f53-aff5-83d477b104bb
https://github.com/facebook/create-react-app/pull/7444
Source: ce714d77-add3-4f53-aff5-83d477b104bb
https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb
Source: ce714d77-add3-4f53-aff5-83d477b104bb
https://github.com/webpack/webpack-dev-server/pull/4316
Source: ce714d77-add3-4f53-aff5-83d477b104bb
https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79
Source: ce714d77-add3-4f53-aff5-83d477b104bb

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.3 / 10.0
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-346 CWE-441

Related CVEs

CVE-2026-9863 7.5
CVE-2026-9862 9.8
CVE-2026-8683 6.5
CVE-2026-5038 5.3
CVE-2026-10634 4.8