CVEFinder.io

CVE-2026-9595

🔶 medium
🔍 Scan for this CVE
Summary

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in webpack-dev-server@5.2.5. Workarounds: Scope user-defined proxy context to specifi

Description

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).

Patches: Fixed in webpack-dev-server@5.2.5.

Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

CVSS Score
5.3
Medium
EPSS Score
0.2
Exploit Probability
Published Date
2026-06-15
First Seen: 2026-06-16
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 19.7% of all 330,193 vulnerabilities in our database.

#265,260
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Jun 15, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
bjohansebas (coordinator) UlisesGascon (analyst) ajhyndman (remediation developer)
SSVC data provided by CISA
Last Modified 2026-06-16
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE IDs (Weakness Types)
CWE-346 CWE-441

📦 Affected Products 1

Vendor Product Status Affected Versions
webpack.js webpack-dev-server Affected
< 5.2.5

🔗 References 5

https://cna.openjsf.org/security-advisories.html
Vendor Advisory
https://github.com/facebook/create-react-app/pull/7444
Issue Tracking Patch
https://github.com/vuejs/vue-cli/commit/72ba7505aff2...
Patch
https://github.com/webpack/webpack-dev-server/pull/4316
Issue Tracking Patch
https://github.com/webpack/webpack-dev-server/securi...
Mitigation Vendor Advisory

🔗 Related CVEs 4

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-6402 🔶 medium 5.3 0.0 webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving o... 2026-05-12
CVE-2025-30359 🔶 medium 5.3 0.1 webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version ... 2025-06-03
CVE-2025-30360 🔶 medium 6.5 0.0 webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version ... 2025-06-03
CVE-2018-14732 ⚠️ high 7.5 0.2 An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's cod... 2018-09-21
These CVEs affect the same products