Miggo Logo
Miggo Vulnerability Database
CVE-2023-26114

CVE-2023-26114: code-server vulnerable to Missing Origin Validation in WebSockets

9.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-26114
GHSA ID
GHSA-frjg-g767-7363
EPSS Score
0.16239%
CWE
CWE-346
Published
3/23/2023
Updated
3/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
code-servernpm< 4.10.14.10.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing origin validation in WebSocket handlers across multiple endpoints. The patch added 'ensureOrigin' checks to these routes, which: 1) validate() Origin header against Host/X-Forwarded headers 2) Handle Forwarded header parsing 3) Block requests with mismatched origins. The vulnerable versions lacked these checks in their WebSocket handlers, particularly visible in routes like domainProxy.ts (lines 78-86), pathProxy.ts (line 50), and vscode.ts (line 173) where WebSocket handlers were modified to add origin validation middleware. The absence of these checks in pre-4.10.1 versions allowed cross-origin WebSocket hijacking.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** *o**-s*rv*r ***or* *.**.* *r* vuln*r**l* to Missin* Ori*in V*li**tion in W**So*k*ts **n*s**k*s. *xploitin* t*is vuln*r**ility **n *llow *n **v*rs*ry in sp**i*i* s**n*rios to ****ss **t* *rom *n* *onn**t to t** *o**-s*rv*r inst

Reasoning

T** vuln*r**ility st*mm** *rom missin* ori*in v*li**tion in W**So*k*t **n*l*rs **ross multipl* *n*points. T** p*t** ***** '*nsur*Ori*in' ****ks to t**s* rout*s, w*i**: *) `v*li**t*()` Ori*in *****r ***inst *ost/X-*orw*r*** *****rs *) **n*l* *orw*r***