SB2026061603 - Origin validation error in webpack-dev-server



SB2026061603 - Origin validation error in webpack-dev-server

Published: June 16, 2026

Security Bulletin ID SB2026061603
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Partial DoS

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Origin validation error (CVE-ID: CVE-2026-9595)

CWE-ID: CWE-346 - Origin Validation Error

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an origin validation error in the HMR WebSocket handling when processing WebSocket connections through a user-configured proxy with a broad context and WebSocket forwarding enabled. A remote attacker can cause the dev server's HMR WebSocket to be intercepted and forwarded to the proxy target to cause a denial of service.

The issue can leak the browser's cookies and Origin header to the backend and bypass the dev server's Host and Origin validation.


Remediation

Install update from vendor's website.