CVE-2026-9595 | Impact: When a user-configured proxy on webpack-dev-server h… | CVSS 5.3 MEDIUM

Description

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in webpack-dev-server@5.2.5. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

Metadata

CVE ID: CVE-2026-9595
State: PUBLISHED
Assigner: openjs
Reserved: 2026-05-26 14:38 UTC
Published: 2026-06-15 15:00 UTC
Last updated: 2026-06-15 16:08 UTC
Primary CWE: CWE-346
CWE-346: Origin Validation Error
Vendor / Product: webpack-dev-server / webpack-dev-server
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
webpack-dev-server	webpack-dev-server	—	0 < 5.2.5, 5.2.5

Weakness (CWE)

CWE	Source	Description
CWE-346	cna	CWE-346: Origin Validation Error
CWE-441	cna	CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (5)