CVE-2026-9595
Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
15/06/2026
Última modificación:
16/06/2026
Descripción
*** Pendiente de traducción *** Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server&#39;s own HMR WebSocket and forwards it to the proxy target. This leaks the browser&#39;s cookies and Origin header to the backend, bypasses the dev server&#39;s Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).<br />
<br />
Patches: Fixed in webpack-dev-server@5.2.5.<br />
<br />
Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.
Impacto
Puntuación base 3.x
5.30
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:webpack.js:webpack-dev-server:*:*:*:*:*:*:*:* | 5.2.5 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://cna.openjsf.org/security-advisories.html
- https://github.com/facebook/create-react-app/pull/7444
- https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb
- https://github.com/webpack/webpack-dev-server/pull/4316
- https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79