DevSpace Cross-Origin WebSocket Connection Vulnerability in UI Server

A vulnerability exists in DevSpace UI server WebSocket prior to version 6.3.21, allowing cross-origin connections from all origins by default. This exposure enables a malicious website to establish a WebSocket connection to the local DevSpace UI server, accessing sensitive endpoints such as real-time pod logs, interactive shell access inside running pods, and execution of predefined pipeline commands.

Impact

Exploitation of this vulnerability allows unauthorized access to WebSocket endpoints that can stream real-time pod logs, open interactive shells inside running pods, and execute predefined pipeline commands, potentially leading to unauthorized manipulation of Kubernetes resources or exposure of sensitive information.

Remediation

Users can update to DevSpace version 6.3.21 or later to address this vulnerability. DevSpace is no longer published on NPM or Yarn; please use the available installation methods to get updates, including this patch.