Skip to main content

DevSpace CVE-2026-42283

| EUVDEUVD-2026-30319 HIGH
Information Exposure (CWE-200)
2026-05-06 https://github.com/devspace-sh/devspace GHSA-hqwm-7x7x-8379
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 06, 2026 - 17:45 vuln.today
Analysis Generated
May 06, 2026 - 17:45 vuln.today

DescriptionGitHub Advisory

Description

DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to ws://127.0.0.1:8090. This allows an attacker to access:

  • /api/logs to stream real-time pod logs
  • /api/enter to open an interactive shell inside the running pod
  • /api/command to execute pre-defined pipeline commands

Patches

Versions 6.3.21 and above are patched.

Resources

gorilla/websocket CheckOrigin documentation

Installation Options

Devspace is no longer publishing to NPM or Yarn, please continue to use our other installation methods to get updates in the future, including this patch.

Credit

DevSpace thanks @b0b0haha for finding and reporting this vulnerability.

AnalysisAI

Cross-Site WebSocket Hijacking in DevSpace UI Server allows remote attackers to execute commands inside Kubernetes pods when developers visit malicious websites while DevSpace UI is running. The UI server's WebSocket endpoint at localhost:8090 accepts connections from any origin, enabling browser-based exploitation without authentication. DevSpace 6.3.20 and earlier are affected; version 6.3.21 contains the fix. No public exploit code identified at time of analysis, but exploitation technique is well-documented in WebSocket security research. The vulnerability enables attackers to stream pod logs, open interactive shells, and execute pipeline commands through the victim's active DevSpace session.

Technical ContextAI

DevSpace is a Kubernetes development tool written in Go that provides a local UI server for managing development environments. The vulnerability stems from improper implementation of the gorilla/websocket library's CheckOrigin function, which by default returns true for all origins. The WebSocket server listens on localhost:8090 and exposes three critical API endpoints (/api/logs, /api/enter, /api/command) without origin validation. This is a Cross-Site WebSocket Hijacking (CSWSH) attack vector, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). Modern browsers allow JavaScript on any webpage to initiate WebSocket connections to localhost, and without CheckOrigin validation, the server cannot distinguish legitimate UI connections from attacker-controlled cross-origin requests. The affected package is pkg:go/github.com/loft-sh/devspace, and the fix in version 6.3.21 implements proper origin checking per gorilla/websocket security guidelines.

RemediationAI

Upgrade to DevSpace 6.3.21 or later, which implements proper WebSocket origin validation per the gorilla/websocket CheckOrigin security model. The patch is available through standard DevSpace installation methods documented at https://www.devspace.sh/docs/getting-started/installation - do NOT use deprecated NPM/Yarn packages. If immediate upgrade is not feasible, implement the following compensating controls: (1) Only run DevSpace UI when actively needed, then terminate the process - this minimizes the attack window to seconds rather than hours. (2) Use browser profiles or separate browsers for development work versus general web browsing, ensuring the browser running DevSpace UI never navigates to untrusted sites. (3) Deploy network-level controls to block outbound WebSocket connections from web browsers to localhost:8090, though this may interfere with legitimate UI functionality. (4) Consider firewall rules restricting which processes can bind to port 8090, though this is complex to implement correctly. Note that disabling the UI server entirely eliminates the attack surface but removes DevSpace's visual management capabilities. The primary fix (upgrade to 6.3.21) has no known side effects and is the recommended remediation.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-42283 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy