https://vulnerability.circl.lu/sightings/feedMost recent sightings.2026-06-18T07:16:00.984667+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent sightings.https://vulnerability.circl.lu/sighting/bb065a28-ae5e-4284-b74e-033022fae06c/exportbb065a28-ae5e-4284-b74e-033022fae06c2026-06-18T07:16:01.359282+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "bb065a28-ae5e-4284-b74e-033022fae06c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9595", "type": "seen", "source": "https://bsky.app/profile/bjohansebas.me/post/3modjudajts2z", "content": "\ud83d\udd12 New advisory: webpack-dev-server (CVE-2026-9595).\nA proxy with context / and ws: true intercepts the HMR WebSocket, leaking cookies to the backend.\n\u2705 Patched in 5.2.5\n github.com/webpack/webp...", "creation_timestamp": "2026-06-15T14:51:06.228928Z"}2026-06-15T14:51:06.228928+00:00https://vulnerability.circl.lu/sighting/edb51ece-b908-430a-a63b-f46779ab398d/exportedb51ece-b908-430a-a63b-f46779ab398d2026-06-18T07:16:01.359162+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "edb51ece-b908-430a-a63b-f46779ab398d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9595", "type": "seen", "source": "https://bsky.app/profile/ulisesgascon.com/post/3modkqrbuns27", "content": "\ud83d\udea8 Medium-severity security fix in webpack-dev-server@5.2.5 just released!\n\nPatches CVE-2026-9595. webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies.\n\ngithub.com/webpack/webp...", "creation_timestamp": "2026-06-15T15:06:59.611656Z"}2026-06-15T15:06:59.611656+00:00https://vulnerability.circl.lu/sighting/3bbe7037-432b-4e69-b994-5b223f0d2d7b/export3bbe7037-432b-4e69-b994-5b223f0d2d7b2026-06-18T07:16:01.356880+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "3bbe7037-432b-4e69-b994-5b223f0d2d7b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9595", "type": "seen", "source": "https://gist.github.com/alon710/3232f2e304614604da98b70a9e646950", "content": "# CVE-2026-9595: CVE-2026-9595: WebSocket Proxying Vulnerability in webpack-dev-server leading to Host/Origin Validation Bypass\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-17\n> **Full Report:** https://cvereports.com/reports/CVE-2026-9595\n\n## Summary\nwebpack-dev-server (WDS) is vulnerable to an Origin Validation Error (CWE-346) and a Confused Deputy vulnerability (CWE-441) due to path normalization discrepancies in its upgrade handling. When a proxy is configured with a broad context and WebSocket support is enabled, the proxy middleware intercepts internal Hot Module Replacement (HMR) WebSocket upgrade requests. This forwards the browser's credentials (such as Cookies and Origin headers) to the backend target, bypassing built-in security controls and corrupting the WebSocket connection.\n\n## TL;DR\nA path parsing discrepancy between Node's URL parser and the raw string checks in the 'ws' library allows proxy middleware in webpack-dev-server to intercept local HMR WebSocket traffic. This bypasses Host/Origin security controls and leaks client cookies to proxy targets.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-346, CWE-441\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 5.3 (Medium)\n- **EPSS Score**: 0.00163 (Percentile: 5.81%)\n- **Impact**: Credential Leakage, Host Security Bypass, Connection Corruption\n- **Exploit Status**: poc\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- webpack-dev-server\n- **webpack-dev-server**: < 5.2.5 (Fixed in: `5.2.5`)\n\n## Mitigation\n\n- Restrict the proxy context to narrow, specific sub-paths (e.g., '/api') rather than broad routing rules (e.g., '/')\n- Disable proxy WebSocket upgrades by setting 'ws: false' inside the proxy configurations where socket forwarding is not required\n- Audit development server configurations to prevent the binding of local development credentials to untrusted proxy targets\n\n**Remediation Steps:**\n1. Open the project's dependency manifest ('package.json')\n2. Update the 'webpack-dev-server' entry to version '^5.2.5'\n3. Reinstall dependencies using the package manager to pull down the updated version\n4. Verify the configuration of 'devServer.proxy' to ensure no wildcard mappings are active\n\n## References\n\n- [CVE-2026-9595 Reference Record](https://www.cve.org/CVERecord?id=CVE-2026-9595)\n- [GitHub Security Advisory GHSA-mx8g-39q3-5c79](https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79)\n- [Vue CLI Patch addressing related downstream proxy issues](https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb)\n- [Create React App Issue addressing proxy boundaries](https://github.com/facebook/create-react-app/pull/7444)\n- [OpenJS Foundation Security Advisories](https://cna.openjsf.org/security-advisories.html)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-9595) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-17T18:51:46.000000Z"}2026-06-17T18:51:46+00:00