WebSocket Vulnerability in Webpack Development Server by Webpack
CVE-2026-9595

5.3MEDIUM

Key Information:

Vendor: Webpack-dev-server
Status: Webpack-dev-server
Vendor: CVE Published:; 15 June 2026

🔔 Create Webpack-dev-server Vulnerability Alert

What is CVE-2026-9595?

A configuration oversight in webpack-dev-server allows a user-defined proxy with broad context to intercept the dev server's Hot Module Replacement (HMR) WebSocket connection. This can inadvertently expose sensitive browser cookies and Origin headers to the backend server, negating the intended Host/Origin validation. Such misconfigurations can further corrupt the HMR socket due to both the HMR and proxy writing data to the same connection. Users are advised to limit proxy contexts to specific paths and omit WebSocket forwarding when unnecessary to mitigate these risks. The issue has been rectified in version 5.2.5.

Affected Version(s)

webpack-dev-server 0 < 5.2.5

webpack-dev-server 5.2.5

References

https://github.com/webpack/webpack-dev-server/security/ad...

https://cna.openjsf.org/security-advisories.html

https://github.com/webpack/webpack-dev-server/pull/4316

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
May 26, 2026

Credit

bjohansebas

UlisesGascon

ajhyndman

CVE-2026-9595 Data

JSON