CVE-2026-42283

描述

### Description DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to `ws://127.0.0.1:8090`. This allows an attacker to access: * `/api/logs` to stream real-time pod logs * `/api/enter` to open an interactive shell inside the running pod * `/api/command` to execute pre-defined pipeline commands ### Patches Versions 6.3.21 and above are patched. ### Resources [gorilla/websocket CheckOrigin documentation](https://pkg.go.dev/github.com/gorilla/websocket#hdr-Origin_Considerations) ### Installation Options Devspace is no longer publishing to NPM or Yarn, please continue to use our [other installation methods](https://www.devspace.sh/docs/getting-started/installation) to get updates in the future, including this patch. ### Credit DevSpace thanks @b0b0haha for finding and reporting this vulnerability.

如何修補 CVE-2026-42283

要修補 CVE-2026-42283,請將受影響套件升級到下列已修補版本。

• —升級至 6.3.21 或更新版本

CVE-2026-42283 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• >= 6.3.20, < 6.3.21

CVSS 分數

參考連結(3)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-42283
• PATCHgithub.com/devspace-sh/devspace
• WEBgithub.com/devspace-sh/devspace/security/advisories/GHSA-hqwm-7x7x-8379