← back
CVE-2023-26114

CVE-2023-26114

CVSS 8.2 HIGHEPSS 0.3%CWE-1385CWE-346
In short

Code-server versions before 4.10.1 fail to properly validate the source of WebSocket connections, allowing an attacker to trick the server into accepting connections from untrusted websites and accessing sensitive data or functionality.

Technical detail

The vulnerability exists in WebSocket handshake validation where the origin header is not properly verified (CWE-1385, CWE-346). An attacker can establish a WebSocket connection from a malicious origin to a vulnerable code-server instance, bypassing CORS protections and gaining unauthorized access to data and server functionality without requiring direct authentication.

Summary generated and translated by AI from the official description.
Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L/E:P
Affected products
n/a · code-server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7https://github.com/coder/code-server/releases/tag/v4.10.1https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148