Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1385 — Vulnerability Class 25

25 vulnerabilities classified as CWE-1385. AI Chinese analysis included.

CWE-1385 represents a critical input validation weakness where a server fails to verify the origin of incoming WebSocket connections. This flaw allows attackers to exploit the persistent, bidirectional nature of WebSockets by forging requests from malicious third-party sites, bypassing standard Same-Origin Policy protections. By tricking a victim’s browser into establishing a connection, an attacker can send unauthorized commands or exfiltrate sensitive data directly to the vulnerable server. To mitigate this risk, developers must rigorously validate the Origin header during the initial HTTP handshake that upgrades the connection to WebSocket protocol. Implementing strict origin checking ensures that only trusted domains can establish persistent communication channels, effectively preventing cross-site request forgery attacks and unauthorized data access through forged WebSocket connections.

MITRE CWE Description
The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid. WebSockets provide a bi-directional low latency communication (near real-time) between a client and a server. WebSockets are different than HTTP in that the connections are long-lived, as the channel will remain open until the client or the server is ready to send the message, whereas in HTTP, once the response occurs (which typically happens immediately), the transaction completes. A WebSocket can leverage the existing HTTP protocol over ports 80 and 443, but it is not limited to HTTP. WebSockets can make cross-origin requests that are not restricted by browser-based protection mechanisms such as the Same Origin Policy (SOP) or Cross-Origin Resource Sharing (CORS). Without explicit origin validation, this makes CSRF attacks more powerful.
Common Consequences (1)
Confidentiality, Integrity, Availability, Non-Repudiation, Access ControlVaries by Context, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data, DoS: Crash, Exit, or Restart
The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could effectively perform any operations as the victim. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web applicati…
Mitigations (5)
ImplementationEnable CORS-like access restrictions by verifying the 'Origin' header during the WebSocket handshake.
ImplementationUse a randomized CSRF token to verify requests.
ImplementationUse TLS to securely communicate using 'wss' (WebSocket Secure) instead of 'ws'.
Architecture and Design, ImplementationRequire user authentication prior to the WebSocket connection being established. For example, the WS library in Node has a 'verifyClient' function.
ImplementationLeverage rate limiting to prevent against DoS. Use of the leaky bucket algorithm can help with this.
Effectiveness: Defense in Depth
CVE IDTitleCVSSSeverityPublished
CVE-2026-34403 Nginx-UI vulnerable to Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints — nginx-ui 8.8AIHighAI2026-04-20
CVE-2026-35589 nanobot: Cross-Site WebSocket Hijacking in WhatsApp Bridge (CVE-2026-2577 Fix Update) — nanobot 8.0 High2026-04-14
CVE-2026-27977 Next.js: null origin can bypass dev HMR websocket CSRF checks — next.js 7.1 -2026-03-17
CVE-2026-1692 Missing origin validation in GraphicalData web service requests — PcVue 5.4AIMediumAI2026-02-26
CVE-2025-68930 Traccar Missing Origin Validation in WebSockets — traccar 7.1 High2026-02-23
CVE-2026-22689 Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails — mailpit 6.5 Medium2026-01-10
CVE-2026-21883 Bokeh server applications have Incomplete Origin Validation in WebSockets — bokeh 4.3 -2026-01-08
CVE-2025-61987 Japan Total System多款产品 安全漏洞 — GroupSession Free edition 4.3AIMediumAI2025-12-12
CVE-2025-54289 Privilege Escalation via WebSocket Connection Hijacking in LXD Operations API — LXD 8.8AIHighAI2025-10-02
CVE-2024-51775 Apache Zeppelin: Command Injection via CSWSH — Apache Zeppelin 5.3 -2025-08-03
CVE-2025-36116 IBM Db2 Mirror for i cross-site websocket hijacking — Db2 Mirror for i 6.3 Medium2025-07-23
CVE-2025-52882 Claude Code IDE extensions allow websocket connections from arbitrary origins — claude-code 7.1AIHighAI2025-06-24
CVE-2025-48068 Information exposure in Next.js dev server due to lack of origin verification — next.js 2.5AILowAI2025-05-30
CVE-2024-8201 Cross-Site WebSocket Hijacking Vulnerability in Hitachi Ops Center Analyzer — Hitachi Ops Center Analyzer 5.4 Medium2025-05-16
CVE-2025-24964 Remote Code Execution when accessing a malicious website while Vitest API server is listening — vitest 9.7 Critical2025-02-04
CVE-2024-48849 Authentication and Authorization Issues — FLXEON 9.4 Critical2025-01-29
CVE-2023-32264 OpenText Documentum D2 安全漏洞 — Documentum D2 5.8 Medium2024-03-08
CVE-2023-49805 Uptime Kuma Missing Origin Validation in WebSockets — uptime-kuma 6.0 Medium2023-12-11
CVE-2023-2848 Movim 访问控制错误漏洞 — Movim 8.0 High2023-09-14
CVE-2023-2850 NodeBB 访问控制错误漏洞 — NodeBB 4.7 Medium2023-07-25
CVE-2023-2886 Cross-Site WebSocket Hijacking in CBOT's Chatbot — Chatbot 4.3 Medium2023-05-25
CVE-2023-30856 eDEX-UI cross-site websocket hijacking vulnerability enables remote command execution — edex-ui 8.3 High2023-04-28
CVE-2023-26114 Coder Code-Server 访问控制错误漏洞 — code-server 8.2 High2023-03-23
CVE-2023-0957 Gitpod 访问控制错误漏洞 — Gitpod 8.2 High2023-03-03
CVE-2014-125071 lukehutch Gribbit HttpRequestHandler.java messageReceived missing origin validation in websockets — Gribbit 5.5 Medium2023-01-09

Vulnerabilities classified as CWE-1385 represent 25 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.