CVE-2026-9595
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
A vulnerability in webpack-dev-server allows for the interception of browser cookies and the Origin header when a user-configured proxy has a broad context and ws: true enabled. This leads to bypassing Host/Origin validation and corrupting the HMR socket.
Risk Assessment
Organizations may be exposed to user data leaks and man-in-the-middle attacks, potentially leading to serious security breaches.
Recommendation
It is recommended to scope the proxy context to specific paths instead of using / or to omit ws: true when WebSocket forwarding is not required.
Original NVD description (English source)
Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket). Patches: Fixed in [email protected]. Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

