Vulnerability	Vulnerable Version
M Server-side Request Forgery (SSRF) code-server is an application that allows running VS Code on a remote server. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `proxy` subpath. An attacker can gain unauthorized access to session tokens by crafting a malicious URL that manipulates the proxy functionality to redirect to an arbitrary domain. This occurs due to improper validation of an expected local proxy port for requests, allowing proxying to an arbitrary domain. Note: This vulnerability requires the built-in proxy in the Code-Server to be enabled How to fix Server-side Request Forgery (SSRF)? Upgrade `code-server` to version 4.99.4 or higher.	<4.99.4
H Missing Origin Validation in WebSockets code-server is an application that allows running VS Code on a remote server. Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance. How to fix Missing Origin Validation in WebSockets? Upgrade `code-server` to version 4.10.1 or higher.	<4.10.1

Server-side Request Forgery (SSRF)

code-server is an application that allows running VS Code on a remote server.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the proxy subpath. An attacker can gain unauthorized access to session tokens by crafting a malicious URL that manipulates the proxy functionality to redirect to an arbitrary domain. This occurs due to improper validation of an expected local proxy port for requests, allowing proxying to an arbitrary domain.

Note: This vulnerability requires the built-in proxy in the Code-Server to be enabled

How to fix Server-side Request Forgery (SSRF)?

Upgrade code-server to version 4.99.4 or higher.

<4.99.4

Missing Origin Validation in WebSockets

code-server is an application that allows running VS Code on a remote server.

Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.

How to fix Missing Origin Validation in WebSockets?

Upgrade code-server to version 4.10.1 or higher.

<4.10.1

Go back to all versions of this package