MEDIUM 5.3
GHSA-mx8g-39q3-5c79
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
상세
### Impact
When a user-configured proxy on `webpack-dev-server` has a broad context (e.g. `/`) and `ws: true`, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and `Origin` header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).
### Patches
Fixed in `webpack-dev-server` 5.2.5.
### Workarounds
Scope user-defined proxy `context` to specific paths instead of `/`, or omit `ws: true` from the proxy entry when WebSocket forwarding is not required.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-9595 [ADVISORY]
- https://github.com/facebook/create-react-app/pull/7444 [WEB]
- https://github.com/webpack/webpack-dev-server/pull/4316 [WEB]
- https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb [WEB]
- https://cna.openjsf.org/security-advisories.html [WEB]
- https://github.com/webpack/webpack-dev-server [PACKAGE]