GHSA-hqwm-7x7x-8379
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hqwm-7x7x-8379
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hqwm-7x7x-8379/GHSA-hqwm-7x7x-8379.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hqwm-7x7x-8379
- Aliases
-
- CVE-2026-42283
- Published
- 2026-05-06T17:05:57Z
- Modified
- 2026-05-14T21:02:47.650796Z
- Severity
-
- 7.7 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- DevSpace UI Server WebSocket CheckOrigin does not validate source
- Details
-
Description
DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to
ws://127.0.0.1:8090. This allows an attacker to access: */api/logsto stream real-time pod logs */api/enterto open an interactive shell inside the running pod */api/commandto execute pre-defined pipeline commandsPatches
Versions 6.3.21 and above are patched.
Resources
gorilla/websocket CheckOrigin documentation
Installation Options
Devspace is no longer publishing to NPM or Yarn, please continue to use our other installation methods to get updates in the future, including this patch.
Credit
DevSpace thanks @b0b0haha for finding and reporting this vulnerability.
- Database specific
{ "github_reviewed_at": "2026-05-06T17:05:57Z", "nvd_published_at": "2026-05-14T16:16:21Z", "cwe_ids": [ "CWE-200", "CWE-306" ], "severity": "HIGH", "github_reviewed": true }- References
Affected packages
Go / github.com/loft-sh/devspace
Package
- Name
- github.com/loft-sh/devspace
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/loft-sh/devspace