CVE-2026-9595

Source
https://cve.org/CVERecord?id=CVE-2026-9595
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9595.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-9595
Aliases
Downstream
Related
Published
2026-06-15T15:00:21.488Z
Modified
2026-07-08T08:12:41.313421826Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
Details

Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).

Patches: Fixed in webpack-dev-server@5.2.5.

Workarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9595.json",
    "cna_assigner": "openjs",
    "cwe_ids": [
        "CWE-346",
        "CWE-441"
    ]
}
References

Affected packages

Git / github.com/vuejs/vue-cli

Affected ranges

Type
GIT
Repo
https://github.com/vuejs/vue-cli
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}
Type
GIT
Repo
https://github.com/webpack/webpack-dev-server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:webpack.js:webpack-dev-server:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.2.5"
        }
    ]
}

Affected versions

@vue/cli-init@3.*
@vue/cli-init@3.1.1
@vue/cli-plugin-babel@3.*
@vue/cli-plugin-babel@3.1.1
@vue/cli-plugin-e2e-cypress@3.*
@vue/cli-plugin-e2e-cypress@3.1.1
@vue/cli-plugin-e2e-cypress@3.1.2
@vue/cli-plugin-e2e-nightwatch@3.*
@vue/cli-plugin-e2e-nightwatch@3.1.1
@vue/cli-plugin-eslint@3.*
@vue/cli-plugin-eslint@3.1.2
@vue/cli-plugin-eslint@3.1.3
@vue/cli-plugin-eslint@3.1.4
@vue/cli-plugin-eslint@3.1.5
@vue/cli-plugin-pwa@3.*
@vue/cli-plugin-pwa@3.1.1
@vue/cli-plugin-pwa@3.1.2
@vue/cli-plugin-typescript@3.*
@vue/cli-plugin-typescript@3.1.1
@vue/cli-plugin-unit-jest@3.*
@vue/cli-plugin-unit-jest@3.1.1
@vue/cli-plugin-unit-mocha@3.*
@vue/cli-plugin-unit-mocha@3.1.1
@vue/cli-service-global@3.*
@vue/cli-service-global@3.1.2
@vue/cli-service-global@3.1.3
@vue/cli-service@3.*
@vue/cli-service@3.1.2
@vue/cli-service@3.1.4
@vue/cli-shared-utils@3.*
@vue/cli-shared-utils@3.1.1
@vue/cli-test-utils@3.*
@vue/cli-test-utils@3.1.1
@vue/cli-ui-addon-webpack@3.*
@vue/cli-ui-addon-webpack@3.1.1
@vue/cli-ui-addon-webpack@3.1.2
@vue/cli-ui-addon-widgets@3.*
@vue/cli-ui-addon-widgets@3.1.1
@vue/cli-ui-addon-widgets@3.1.2
@vue/cli-ui@3.*
@vue/cli-ui@3.1.1
@vue/cli-ui@3.1.2
@vue/cli-upgrade@3.*
@vue/cli-upgrade@3.1.1
@vue/cli@3.*
@vue/cli@3.1.1
@vue/cli@3.1.2
@vue/cli@3.1.3
@vue/eslint-config-prettier@4.*
@vue/eslint-config-prettier@4.0.1
@vue/eslint-config-typescript@3.*
@vue/eslint-config-typescript@3.1.1
@vue/eslint-config-typescript@3.2.0
v1.*
v1.10.0
v1.10.1
v1.11.0
v1.12.0
v1.12.1
v1.13.0
v1.14.0
v1.14.1
v1.7.0
v1.8.0
v1.8.1
v1.8.2
v1.9.0
v2.*
v2.0.0-beta
v2.1.0-beta.0
v2.1.0-beta.1
v2.1.0-beta.10
v2.1.0-beta.11
v2.1.0-beta.12
v2.1.0-beta.2
v2.1.0-beta.3
v2.1.0-beta.4
v2.1.0-beta.5
v2.1.0-beta.6
v2.1.0-beta.7
v2.1.0-beta.8
v2.1.0-beta.9
v2.10.0
v2.10.1
v2.11.0
v2.11.1
v2.2.0
v2.2.0-rc.0
v2.2.1
v2.3.0
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.5.0
v2.6.0
v2.6.1
v2.8.0
v2.8.1
v2.8.2
v2.9.0
v2.9.1
v2.9.2
v2.9.3
v2.9.5
v2.9.6
v2.9.7
v3.*
v3.0.0
v3.0.0-alpha.1
v3.0.0-alpha.10
v3.0.0-alpha.11
v3.0.0-alpha.12
v3.0.0-alpha.13
v3.0.0-alpha.2
v3.0.0-alpha.3
v3.0.0-alpha.4
v3.0.0-alpha.5
v3.0.0-alpha.6
v3.0.0-alpha.7
v3.0.0-alpha.8
v3.0.0-alpha.9
v3.0.0-beta.1
v3.0.0-beta.12
v3.0.0-beta.15
v3.0.0-beta.16
v3.0.0-beta.2
v3.0.0-beta.3
v3.0.0-rc.1
v3.0.0-rc.10
v3.0.0-rc.11
v3.0.0-rc.12
v3.0.0-rc.2
v3.0.0-rc.3
v3.0.0-rc.4
v3.0.0-rc.5
v3.0.0-rc.6
v3.0.0-rc.7
v3.0.0-rc.8
v3.0.0-rc.9
v3.0.1
v3.0.1-beta.0
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.1.0
v3.1.1
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.10.0
v3.10.2
v3.10.3
v3.11.0
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.3.0
v3.3.1
v3.4.0
v3.4.1
v3.5.0
v3.5.1
v3.6.1
v3.6.2
v3.6.3
v3.7.0
v3.7.1
v3.7.2
v3.8.0
v3.8.1
v3.8.2
v3.9.0
v4.*
v4.0.0
v4.0.0-alpha.0
v4.0.0-alpha.1
v4.0.0-alpha.2
v4.0.0-alpha.3
v4.0.0-alpha.4
v4.0.0-alpha.5
v4.0.0-beta.0
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.0-beta.3
v4.0.0-rc.0
v4.0.0-rc.1
v4.1.0
v4.1.1
v4.10.0
v4.10.1
v4.11.0
v4.11.1
v4.12.0
v4.13.0
v4.13.1
v4.13.2
v4.13.3
v4.14.0
v4.15.0
v4.15.1
v4.2.0
v4.2.1
v4.3.0
v4.3.1
v4.4.0
v4.5.0
v4.6.0
v4.7.0
v4.7.1
v4.7.2
v4.7.3
v4.7.4
v4.8.0
v4.8.1
v4.9.0
v4.9.1
v4.9.2
v4.9.3
v5.*
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.1.0
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.2.4
vue-cli-version-marker@3.*
vue-cli-version-marker@3.1.1
vue-cli-version-marker@3.1.2
vue-cli-version-marker@3.2.2
vue-cli-version-marker@3.3.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9595.json"