Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-9595

CVE-2026-9595: Webpack-dev-server Info Disclosure Bug

CVE-2026-9595 is an information disclosure flaw in Webpack-dev-server that leaks browser cookies and Origin headers through misconfigured WebSocket proxies. This article covers technical details, affected versions, and fixes.

Published:

CVE-2026-9595 Overview

CVE-2026-9595 affects webpack-dev-server, the development server used by the Webpack JavaScript bundler. When a developer configures a proxy with a broad context (such as /) and enables ws: true, the proxy also intercepts the dev server's own Hot Module Replacement (HMR) WebSocket. The intercepted traffic is forwarded to the configured backend, leaking the browser's cookies and Origin header, bypassing the dev server's Host and Origin validation, and corrupting the HMR socket because both HMR and the proxy write to the same connection. The issue is classified under [CWE-346] Origin Validation Error.

Critical Impact

Browser cookies and Origin headers from the developer's session leak to the proxied backend, and the HMR channel is corrupted by overlapping writes.

Affected Products

  • webpack.js webpack-dev-server versions prior to 5.2.5
  • Projects scaffolded with tools that bundle vulnerable webpack-dev-server versions (for example create-react-app and Vue CLI workflows)
  • Local development environments using broad proxy contexts with WebSocket forwarding enabled

Discovery Timeline

  • 2026-06-15 - CVE-2026-9595 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-9595

Vulnerability Analysis

The flaw is an origin validation error in webpack-dev-server's proxy handling. The dev server normally validates the Host and Origin headers on its HMR WebSocket to ensure only the local browser session can connect. When a user-defined proxy uses a wide context (/) and sets ws: true, that proxy matcher takes precedence over the HMR endpoint. As a result, the upgrade request that the browser sends for HMR is matched by the proxy and forwarded to the backend target instead of being terminated by the dev server.

Because the proxy forwards the request as-is, the developer's session cookies and Origin header reach a backend that may not expect them. The same socket is then written to by both the proxy pipeline and the HMR subsystem, producing protocol corruption on the WebSocket stream.

Root Cause

The root cause is precedence ordering between user-supplied proxy rules and the dev server's internal HMR route. A proxy entry with context / matches every path, including the HMR upgrade path, so origin validation is skipped and the request is proxied. The dev server did not reserve its HMR WebSocket path from user-defined proxy matching.

Attack Vector

Exploitation requires a developer to run webpack-dev-server with a misconfigured proxy (broad context plus ws: true). An attacker who can influence the proxied backend, or who controls a malicious page that triggers WebSocket upgrades, can receive the forwarded HMR traffic along with the browser's cookies and origin metadata. The attack vector is network-adjacent to the developer's environment and does not require authentication on the dev server itself.

No public proof-of-concept or exploit entries are listed for this CVE. See the GitHub Security Advisory GHSA-mx8g-39q3-5c79 for the maintainer's technical write-up.

Detection Methods for CVE-2026-9595

Indicators of Compromise

  • Unexpected WebSocket upgrade requests reaching backend services from developer workstations carrying browser cookies or non-backend Origin headers.
  • HMR client errors in the browser console indicating malformed frames or unexpected disconnects on the /ws channel.
  • Backend access logs showing Upgrade: websocket requests originating from localhost dev sessions on paths owned by the dev server.

Detection Strategies

  • Audit webpack.config.js and devServer.proxy definitions for entries using context / combined with ws: true.
  • Inventory installed webpack-dev-server versions across developer machines and CI runners, flagging any release earlier than 5.2.5.
  • Inspect backend logs for inbound WebSocket upgrades whose paths match dev-server-internal routes such as /ws.

Monitoring Recommendations

  • Track dependency manifests (package.json, package-lock.json, yarn.lock) for webpack-dev-server versions across repositories.
  • Alert when development proxies forward authenticated cookies to non-local targets.
  • Monitor build and dev-server logs for repeated HMR reconnect loops, which can indicate socket corruption.

How to Mitigate CVE-2026-9595

Immediate Actions Required

  • Upgrade webpack-dev-server to version 5.2.5 or later in every project and lockfile.
  • Review all devServer.proxy configurations and replace broad / contexts with explicit API paths.
  • Remove ws: true from proxy entries that do not require WebSocket forwarding.

Patch Information

The issue is fixed in webpack-dev-server@5.2.5. The maintainers tracked the fix in Pull Request #4316 and published GHSA-mx8g-39q3-5c79. Downstream scaffolding tooling discussions are available in the create-react-app pull request and the Vue CLI commit. Additional context is available from the OpenJS Foundation Security Advisories.

Workarounds

  • Scope each proxy entry to a specific path prefix such as /api rather than /.
  • Omit ws: true from proxy entries when WebSocket forwarding to the backend is not required.
  • Restrict dev-server usage to loopback interfaces and avoid exposing it on shared networks while running with proxy configurations.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne