Update dependency webpack-dev-server to v5.2.5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
webpack-dev-server	5.2.4 → 5.2.5

---

webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

CVE-2026-9595 / GHSA-mx8g-39q3-5c79

More information

Details

Impact

When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).

Patches

Fixed in webpack-dev-server 5.2.5.

Workarounds

Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79
• https://nvd.nist.gov/vuln/detail/CVE-2026-9595
• https://github.com/facebook/create-react-app/pull/7444
• https://github.com/webpack/webpack-dev-server/pull/4316
• https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-mx8g-39q3-5c79

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

webpack/webpack-dev-server (webpack-dev-server)

v5.2.5

Compare Source

Patch Changes

• Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #​5680)

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

5.2.4 (2026-05-11)

Bug Fixes

• set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

5.2.3 (2026-01-12)

Bug Fixes

• add cause for errorObject (#​5518) (37b033d)
• compatibility with event target and universal target and lazy compilation (574026c)
• overlay: add ESC key to dismiss overlay (#​5598) (f91baa8)
• progress indicator styles (#​5557) (41a53a1)
• upgrade selfsigned to v5

5.2.2 (2025-06-03)

Bug Fixes

• "Overlay enabled" false positive (18e72ee)
• do not crush when error is null for runtime errors (#​5447) (309991f)
• remove unnecessary header X_TEST (#​5451) (64a6124)
• respect the allowedHosts option for cross-origin header check (#​5510) (03d1214)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.