Home

Description

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in webpack-dev-server@5.2.5. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

PUBLISHED Reserved 2026-05-26 | Published 2026-06-15 | Updated 2026-06-15 | Assigner openjs




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-346: Origin Validation Error

CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')

Product status

Default status
unaffected

Any version before 5.2.5
affected

5.2.5 (semver)
unaffected

Credits

bjohansebas coordinator

UlisesGascon analyst

ajhyndman remediation developer

References

github.com/...server/security/advisories/GHSA-mx8g-39q3-5c79

cna.openjsf.org/security-advisories.html

github.com/webpack/webpack-dev-server/pull/4316

github.com/...ommit/72ba7505aff2a8314e82aa5082379a77504a1fcb

github.com/facebook/create-react-app/pull/7444

cve.org (CVE-2026-9595)

nvd.nist.gov (CVE-2026-9595)

Download JSON