Vulnerability-Lookup

GHSA-HQWM-7X7X-8379

Vulnerability from github – Published: 2026-05-06 17:05 – Updated: 2026-05-14 20:51

Summary

DevSpace UI Server WebSocket CheckOrigin does not validate source

Details

Description

DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to ws://127.0.0.1:8090. This allows an attacker to access: * /api/logs to stream real-time pod logs * /api/enter to open an interactive shell inside the running pod * /api/command to execute pre-defined pipeline commands

Patches

Versions 6.3.21 and above are patched.

Resources

gorilla/websocket CheckOrigin documentation

Installation Options

Devspace is no longer publishing to NPM or Yarn, please continue to use our other installation methods to get updates in the future, including this patch.

Credit

DevSpace thanks @b0b0haha for finding and reporting this vulnerability.

Severity

7.7 (High)


                  
                    CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/loft-sh/devspace"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.3.20"
            },
            {
              "fixed": "6.3.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "6.3.20"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42283"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T17:05:57Z",
    "nvd_published_at": "2026-05-14T16:16:21Z",
    "severity": "HIGH"
  },
  "details": "### Description\n\nDevSpace\u0027s UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to `ws://127.0.0.1:8090`. This allows an attacker to access: \n* `/api/logs` to stream real-time pod logs\n* `/api/enter` to open an interactive shell inside the running pod\n* `/api/command` to execute pre-defined pipeline commands\n\n### Patches\n\nVersions 6.3.21 and above are patched.\n\n### Resources\n\n[gorilla/websocket CheckOrigin documentation](https://pkg.go.dev/github.com/gorilla/websocket#hdr-Origin_Considerations)\n\n### Installation Options\n\nDevspace is no longer publishing to NPM or Yarn, please continue to use our [other installation methods](https://www.devspace.sh/docs/getting-started/installation) to get updates in the future, including this patch.\n\n### Credit\n\nDevSpace thanks @b0b0haha for finding and reporting this vulnerability.",
  "id": "GHSA-hqwm-7x7x-8379",
  "modified": "2026-05-14T20:51:39Z",
  "published": "2026-05-06T17:05:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/devspace-sh/devspace/security/advisories/GHSA-hqwm-7x7x-8379"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42283"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/devspace-sh/devspace"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DevSpace UI Server WebSocket CheckOrigin does not validate source"
}

CVE-2026-42283 (GCVE-0-2026-42283)

Vulnerability from cvelistv5 – Published: 2026-05-14 15:44 – Updated: 2026-05-16 00:36

Title

DevSpace UI Server WebSocket CheckOrigin does not validate source

Summary

DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to ws://127.0.0.1:8090. This vulnerability is fixed in 6.3.21.

Severity

7.7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-306 - Missing Authentication for Critical Function
CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/devspace-sh/devspace/security/…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
devspace-sh	devspace	Affected: < 6.3.21

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42283",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-16T00:36:03.485796Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-16T00:36:17.542Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "devspace",
          "vendor": "devspace-sh",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.3.21"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace\u0027s UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to ws://127.0.0.1:8090. This vulnerability is fixed in 6.3.21."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T15:44:22.499Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/devspace-sh/devspace/security/advisories/GHSA-hqwm-7x7x-8379",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/devspace-sh/devspace/security/advisories/GHSA-hqwm-7x7x-8379"
        }
      ],
      "source": {
        "advisory": "GHSA-hqwm-7x7x-8379",
        "discovery": "UNKNOWN"
      },
      "title": "DevSpace UI Server WebSocket CheckOrigin does not validate source"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42283",
    "datePublished": "2026-05-14T15:44:22.499Z",
    "dateReserved": "2026-04-26T12:13:55.551Z",
    "dateUpdated": "2026-05-16T00:36:17.542Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted