EUVD-2026-36729Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Cookie leakage and Origin bypass warrant C:L and I:L; AV:N and PR:N apply since no local access or authentication is required once the misconfiguration is present.
Primary rating from Vendor (openjs).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionNVD
Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).
Patches: Fixed in webpack-dev-server@5.2.5.
Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.
AnalysisAI
webpack-dev-server's WebSocket upgrade handler, when a proxy entry is configured with a broad path context (/) and ws: true, incorrectly forwards the dev server's own HMR WebSocket upgrade requests to the configured proxy backend. This unintentionally delivers browser cookies and the Origin header to the proxy target, bypasses the dev server's built-in Host/Origin validation, and corrupts the HMR channel by routing both HMR and proxy traffic over the same socket. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two specific, co-occurring conditions in the webpack-dev-server proxy configuration: the proxy context must be set to / (or another path broad enough to prefix-match the HMR WebSocket path, typically /ws), AND ws: true must be present in the same proxy entry to enable WebSocket upgrade forwarding. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS base score of 5.3 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L captures only the availability dimension (HMR socket corruption) and is in direct tension with the CVE description, which explicitly identifies browser cookie leakage (confidentiality impact) and Host/Origin validation bypass (integrity impact). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer runs webpack-dev-server with a proxy entry targeting an attacker-controlled or third-party backend using context '/' and ws: true - a common scaffolded configuration for full-stack development. When any browser tab opens the dev server and HMR initiates its WebSocket handshake to /ws, the upgrade handler silently forwards the request (including the browser's cookies and Origin header) to the backend proxy target instead of handling it internally. … |
| Remediation | Upgrade to webpack-dev-server 5.2.5, which is the vendor-released patch confirmed by the OpenJS Foundation CNA advisory at https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79 and implemented in https://github.com/webpack/webpack-dev-server/pull/4316. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today