CVE-2026-9595

MEDIUM 5.3

webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in [email protected]. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

CWE	CWE-346 CWE-441
Vendor	webpack-dev-server
Product	webpack-dev-server
Published	Jun 15, 2026

Stay Ahead of the Next One

Get instant alerts for webpack-dev-server webpack-dev-server

Be the first to know when new medium vulnerabilities affecting webpack-dev-server webpack-dev-server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

webpack-dev-server / webpack-dev-server

0 < 5.2.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79 cna.openjsf.org: https://cna.openjsf.org/security-advisories.html github.com: https://github.com/webpack/webpack-dev-server/pull/4316 github.com: https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb github.com: https://github.com/facebook/create-react-app/pull/7444

Credits

bjohansebas UlisesGascon ajhyndman