CVE-2023-26114: code-server vulnerable to Missing Origin Validation in WebSockets

March 23, 2023

Versions of the package code-server before 4.10.1 is vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.

References

github.com/advisories/GHSA-frjg-g767-7363
github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7
github.com/coder/code-server/releases/tag/v4.10.1
nvd.nist.gov/vuln/detail/CVE-2023-26114
security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148

Detect and mitigate CVE-2023-26114 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →