CVE-2026-9595
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
15/06/2026
Last modified:
16/06/2026
Description
Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server&#39;s own HMR WebSocket and forwards it to the proxy target. This leaks the browser&#39;s cookies and Origin header to the backend, bypasses the dev server&#39;s Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).<br />
<br />
Patches: Fixed in webpack-dev-server@5.2.5.<br />
<br />
Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:webpack.js:webpack-dev-server:*:*:*:*:*:*:*:* | 5.2.5 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://cna.openjsf.org/security-advisories.html
- https://github.com/facebook/create-react-app/pull/7444
- https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb
- https://github.com/webpack/webpack-dev-server/pull/4316
- https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79