CVE-2026-9595
Received Received - Intake
WebSocket Interception in webpack-dev-server

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: openjs

Description
Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in [email protected]. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-9595
EUVD
EUVD-2026-36729
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
webpack webpack-dev-server 5.2.5
vuejs vue-cli *
facebook create-react-app *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-9595 affects webpack-dev-server when a user-configured proxy has a broad context such as "/" and the WebSocket forwarding option (ws: true) is enabled.

In this situation, the proxy incorrectly intercepts the dev server's own Hot Module Replacement (HMR) WebSocket connection and forwards it to the proxy target. This causes the browser's cookies and Origin header to be leaked to the backend server.

Additionally, this bypasses the dev server's Host and Origin validation checks and corrupts the HMR socket because both the HMR and the proxy end up writing to the same socket.

The issue arises from improper handling of WebSocket upgrade requests during proxy forwarding.

Impact Analysis

This vulnerability can lead to leakage of sensitive information such as browser cookies and the Origin header to unintended backend servers.

It also allows attackers to bypass the dev server's Host and Origin validation, potentially enabling unauthorized access or manipulation of WebSocket connections.

Furthermore, the corruption of the HMR socket can disrupt the Hot Module Replacement functionality, causing development workflow issues.

The vulnerability has a moderate severity with a CVSS score of 5.3, is exploitable over the network without privileges or user interaction, and can impact availability to a low extent.

Detection Guidance

This vulnerability occurs when a user-configured proxy on webpack-dev-server has a broad context (e.g., "/") with ws: true, causing interception of the dev server's own HMR WebSocket and leaking sensitive information.

To detect this vulnerability on your system or network, you can check your webpack-dev-server proxy configuration for a broad context path such as "/" combined with ws: true.

Additionally, monitoring network traffic for WebSocket connections that are being forwarded to unintended proxy targets may help identify exploitation attempts.

While no specific commands are provided in the resources, you can use network inspection tools like tcpdump or Wireshark to capture WebSocket traffic and verify if HMR WebSocket upgrade requests are being forwarded through the proxy.

For example, a command to capture WebSocket traffic on port 8080 might be:

  • tcpdump -i any -s 0 -w capture.pcap port 8080 and tcp

Then analyze the capture with Wireshark to check if HMR WebSocket upgrade requests are forwarded to the proxy target.

Also, reviewing your webpack-dev-server proxy configuration files for broad context paths and ws: true settings is recommended.

Mitigation Strategies

Immediate mitigation steps include applying the official patch by upgrading webpack-dev-server to version 5.2.5 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, you can apply workarounds such as:

  • Scope user-defined proxy context to specific paths instead of using a broad context like "/".
  • Omit the ws: true setting from the proxy entry when WebSocket forwarding is not required.

These steps prevent the dev server's HMR WebSocket from being intercepted and leaking sensitive information.

Compliance Impact

The vulnerability in webpack-dev-server allows leakage of browser cookies and the Origin header to a backend proxy target by intercepting the Hot Module Replacement (HMR) WebSocket. This leakage could potentially expose sensitive user information.

Such exposure of cookies and origin data may lead to non-compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information from unauthorized access or disclosure.

However, the provided information does not explicitly discuss compliance impacts or regulatory consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9595. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart