SB2026061603 - Origin validation error in webpack-dev-server
Published: June 16, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Origin validation error (CVE-ID: CVE-2026-9595)
CWE-ID: CWE-346 - Origin Validation Error
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an origin validation error in the HMR WebSocket handling when processing WebSocket connections through a user-configured proxy with a broad context and WebSocket forwarding enabled. A remote attacker can cause the dev server's HMR WebSocket to be intercepted and forwarded to the proxy target to cause a denial of service.
The issue can leak the browser's cookies and Origin header to the backend and bypass the dev server's Host and Origin validation.
Remediation
Install update from vendor's website.