CVE-2026-9595: CVE-2026-9595: WebSocket Proxying Vulnerability in webpack-dev-server leading to Host/Origin Validation Bypass

CVE-2026-9595: WebSocket Proxying Vulnerability in webpack-dev-server leading to Host/Origin Validation Bypass

Vulnerability ID: CVE-2026-9595
CVSS Score: 5.3
Published: 2026-06-17

webpack-dev-server (WDS) is vulnerable to an Origin Validation Error (CWE-346) and a Confused Deputy vulnerability (CWE-441) due to path normalization discrepancies in its upgrade handling. When a proxy is configured with a broad context and WebSocket support is enabled, the proxy middleware intercepts internal Hot Module Replacement (HMR) WebSocket upgrade requests. This forwards the browser's credentials (such as Cookies and Origin headers) to the backend target, bypassing built-in security controls and corrupting the WebSocket connection.

TL;DR

A path parsing discrepancy between Node's URL parser and the raw string checks in the 'ws' library allows proxy middleware in webpack-dev-server to intercept local HMR WebSocket traffic. This bypasses Host/Origin security controls and leaks client cookies to proxy targets.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-346, CWE-441
• Attack Vector: Network (AV:N)
• CVSS v3.1 Score: 5.3 (Medium)
• EPSS Score: 0.00163 (Percentile: 5.81%)
• Impact: Credential Leakage, Host Security Bypass, Connection Corruption
• Exploit Status: poc
• KEV Status: Not Listed

Affected Systems

• webpack-dev-server
• webpack-dev-server: < 5.2.5 (Fixed in: 5.2.5)

Code Analysis

Commit: 948d5e6

Fix strict HMR path matching on upgrade events to match native 'ws' parser rules

Commit: c3ee325

Release v5.2.5

Exploit Details

• GitHub Advisory: Advisory documenting the proxy upgrade bypass vector and structural remediation details.

Mitigation Strategies

• Restrict the proxy context to narrow, specific sub-paths (e.g., '/api') rather than broad routing rules (e.g., '/')
• Disable proxy WebSocket upgrades by setting 'ws: false' inside the proxy configurations where socket forwarding is not required
• Audit development server configurations to prevent the binding of local development credentials to untrusted proxy targets

Remediation Steps:

1. Open the project's dependency manifest ('package.json')
2. Update the 'webpack-dev-server' entry to version '^5.2.5'
3. Reinstall dependencies using the package manager to pull down the updated version
4. Verify the configuration of 'devServer.proxy' to ensure no wildcard mappings are active

References

• CVE-2026-9595 Reference Record
• GitHub Security Advisory GHSA-mx8g-39q3-5c79
• Vue CLI Patch addressing related downstream proxy issues
• Create React App Issue addressing proxy boundaries
• OpenJS Foundation Security Advisories

---

Read the full report for CVE-2026-9595 on our website for more details including interactive diagrams and full exploit analysis.