Description
Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).

Patches: Fixed in webpack-dev-server@5.2.5.

Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.
Published: 2026-06-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when webpack‑dev‑server is configured with a user proxy that has a broad context, such as /, and WebSocket forwarding (ws:true). This configuration causes the server’s own Hot‑Module‑Replacement WebSocket traffic to be captured and forwarded to the proxy target. As a result, the browser’s cookies, Origin header, and other sensitive request data are leaked to the upstream server, bypassing the dev server’s Host/Origin validation. The forwarded traffic also corrupts the HMR socket, potentially causing the development server and the proxy to write to the same socket.

Affected Systems

All installations of webpack‑dev‑server older than 5.2.5 that use a proxy configuration with a wildcard context and ws:true. This includes any environment running webpack‑dev‑server in development that configures user‑defined proxies over the root path.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk, and the EPSS score of less than 1% signifies a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to control or influence the proxy target; a malicious upstream server could capture forwarded HMR traffic. In typical development settings, the attack vector is local or within a trusted network, so the primary risk is to developers and development servers that expose sensitive authentication cookies.

Generated by OpenCVE AI on June 17, 2026 at 00:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade webpack‑dev‑server to version 5.2.5 or later.
  • Limit the proxy configuration to specific paths rather than the root (/) when using ws:true.
  • Remove the ws:true option if WebSocket proxying is not required for the workflow.

Generated by OpenCVE AI on June 17, 2026 at 00:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:webpack.js:webpack-dev-server:*:*:*:*:*:*:*:*

Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Webpack.js
Webpack.js webpack-dev-server
Vendors & Products Webpack.js
Webpack.js webpack-dev-server

Mon, 15 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in webpack-dev-server@5.2.5. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.
Title webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
Weaknesses CWE-346
CWE-441
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Webpack.js Webpack-dev-server
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-06-15T16:08:35.549Z

Reserved: 2026-05-26T14:38:47.772Z

Link: CVE-2026-9595

cve-icon Vulnrichment

Updated: 2026-06-15T16:08:30.548Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-15T16:16:35.227

Modified: 2026-06-16T17:24:37.060

Link: CVE-2026-9595

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T01:00:15Z

Weaknesses
  • CWE-346

    Origin Validation Error

  • CWE-441

    Unintended Proxy or Intermediary ('Confused Deputy')