CVE-2026-9595

CVE Database · CVE-2026-9595

CVE-2026-9595

· MEDIUMReceived

CVSS v3.1

5.3

EPSS

0.16%

Published

Jun 15, 2026

Modified

Jun 15, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in webpack-dev-server@5.2.5. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Weaknesses (CWE)

CWE-346CWE-441

References (5)

https://cna.openjsf.org/security-advisories.html

https://github.com/facebook/create-react-app/pull/7444

https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb

https://github.com/webpack/webpack-dev-server/pull/4316

https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79

KEV Catalog EPSS Scores Vendors All CVEs