OpenJS CNA API
Kick Off
Agenda
- The CNA API Initiative
- The plan
- The backlog
- The API POC
- Website changes: Open Data, API Docs, fetching MITRE...
- Internal Architecture
- The Official Client
- Node.js Adoption
- The Demos
Projects
API
CNA Team
Request CVEs
24x7 working
Query CVEs
MITRE coordination
CNA Website Publication
Support (editor, disputes, queries, rejections...)
Publish CVEs
Update CVEs
Infrastructure (tokens, errors...)
The Goal
DEMO: CNA OPS
Objectives
- Generate credentials for a project
- Revoke credentials for a project
- Cloudflare Dashboard for workers
Generate Credentials
Command:
Output:
pnpm bucket-manager register test_webpack ulisesRegistered test_webpack (label: ulises)
hash: 1cf1f1fa67a64ea1ec16a4c05d2d2d8e9b2f3ed9105b623c6b24d76baaa758b7
token: test_webpack:f4295bfa3099d8076...c21eebd17f22c9aa891a20b40c3d7a
Deliver the token out-of-band. It will NOT be shown again.
Commit tokens.json (and any new bucket directory) and redeploy the proxy.
Remove Credentials
Command:
Output:
pnpm bucket-manager remove test_webpack ulisesRemoved token labelled "ulises" from "test_webpack".
Commit tokens.json (and the removed bucket directory if any) and redeploy the proxy.
Cloudflare Dash
DEMO: CVE lifecycle
Objectives
- Check API Health
- Reserve a CVE
- Convert a GHSA to CVE format
- Review the CVE before publication
- Publish the CVE
Check health
Command:
Output:
export OPENJS_CNA_TOKEN="test_webpack:<the token printed in step 1>"
export OPENJS_CNA_BASE_URL="https://openjs-cna-api.<your-subdomain>.workers.dev"
openjs-cna health✔ API is reachable (ok)
{
"status": "ok",
"timestamp": "2026-06-21T16:35:54.710Z"
}Reserve CVE
Command:
Output:
CVE=$(openjs-cna reserve)
echo "Reserved $CVE"ℹ Reserving CVE…
ℹ run status: pending
ℹ run status: in_progress
ℹ run status: in_progress
ℹ run status: in_progress
ℹ run status: in_progress
✔ Reserved CVE-2026-20804
ℹ Forward to coordinator if needed: correlation_id=4953d99b-c325-4b28-899f-1748f81d89b7, run_id=27910699550
Reserved CVE-2026-20804
Convert GHSA
For this demo, we are utilizing the GHSA: GHSA-mx8g-39q3-5c79 which was officially released by the webpack team and subsequently published on MITRE as
CVE-2026-9595, but we have made a specific adjustment to the converted json in order to incorporate the MITRE testing CVE (this is a manual change that we performed)
Command:
Output:
openjs-cna convert https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79 --cve "$CVE" > container.jsonℹ Converting → CVE Record
✔ Conversion completeFile Content:
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-20804",
"assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb"
},
"title": "webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies",
"descriptions": [
{
"lang": "en",
"value": "Impact:\n\nWhen a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).\n\nPatches:\n\nFixed in webpack-dev-server 5.2.5.\n\nWorkarounds:\n\nScope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.",
"supportingMedia": [
{
"type": "text/markdown",
"base64": false,
"value": "### Impact\n\nWhen a user-configured proxy on `webpack-dev-server` has a broad context (e.g. `/`) and `ws: true`, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and `Origin` header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).\n\n### Patches\n\nFixed in `webpack-dev-server` 5.2.5.\n\n### Workarounds\n\nScope user-defined proxy `context` to specific paths instead of `/`, or omit `ws: true` from the proxy entry when WebSocket forwarding is not required."
}
]
}
],
"affected": [
{
"vendor": "npm",
"product": "webpack-dev-server",
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"lessThan": "5.2.5",
"status": "affected",
"versionType": "semver"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"cweId": "CWE-346",
"type": "CWE",
"description": "Origin Validation Error"
},
{
"lang": "en",
"cweId": "CWE-441",
"type": "CWE",
"description": "Unintended Proxy or Intermediary ('Confused Deputy')"
}
]
}
],
"metrics": [
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"baseScore": 5.3,
"baseSeverity": "MEDIUM"
}
}
],
"credits": [
{
"lang": "en",
"type": "coordinator",
"value": "bjohansebas"
},
{
"lang": "en",
"type": "analyst",
"value": "UlisesGascon"
}
],
"references": [
{
"url": "https://github.com/webpack/webpack-dev-server/pull/4316"
},
{
"url": "https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb"
},
{
"url": "https://github.com/facebook/create-react-app/pull/7444"
}
],
"x_generator": {
"engine": "@openjsfoundation/cna-tools 1.0.0-alpha.1"
}
}
}
}
Review CVE
We conduct a comprehensive and thorough review of the CVE that has been proposed against the official CVE JSON Schemas, along with additional rules that have been established by our CNA to serve effectively in extending the default ones provided by MITRE.
See: OpenJS extra rules
Command:
Output:
openjs-cna review container.jsonRecord preview: (edit visually at https://vulnogram.org/#source)
CVE: CVE-2026-20804
························································
Title: webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
························································
Description: Impact:
When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).
Patches:
Fixed in webpack-dev-server 5.2.5.
Workarounds:
Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.
························································
Affected: npm:webpack-dev-server (0 → < 5.2.5)
························································
CVSS 3.1: 5.3 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
························································
CWE: CWE-346, CWE-441
························································
Credits: coordinator: bjohansebas, analyst: UlisesGascon
························································
References: https://github.com/webpack/webpack-dev-server/pull/4316
https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb
https://github.com/facebook/create-react-app/pull/7444
························································
Generator: @openjsfoundation/cna-tools 1.0.0-alpha.1
Review: ✖ blocked
2 blocker(s) · 0 warning(s) · 0 suggestion(s)
✖ [openjs-extra: reporter-credit-present] credits
No reporter or finder credit found
✖ [openjs-extra: remediation-credit-present] credits
No remediation credit found (expected one of: remediation developer / reviewer / verifier) Refine with Vulnogram
Publish CVE
Command:
Output:
openjs-cna publish --skip-review "$CVE" -f container.jsonPublish CVE-2026-20804? This is irreversible. [y/N] y
ℹ Publishing CVE-2026-20804…
ℹ run status: pending
ℹ run status: in_progress
ℹ run status: in_progress
ℹ run status: in_progress
ℹ run status: in_progress
✔ Published CVE-2026-20804
ℹ Forward to coordinator if needed: correlation_id=308043fd-b306-4dfb-9141-eca1dbe04c13, run_id=27911010719
{
"message": "CVE-2026-20804 record was successfully created. This submission should appear on https://test.cve.org/ within 15 minutes.",
"created": {
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-20804",
"assignerOrgId": "dc46bac7-a7e6-4e1b-ad25-dd5324f7e2c6",
"state": "PUBLISHED",
"assignerShortName": "***",
"dateReserved": "2026-06-21T16:37:18.133Z",
"datePublished": "2026-06-21T16:49:14.695Z",
"dateUpdated": "2026-06-21T16:49:14.695Z"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "dc46bac7-a7e6-4e1b-ad25-dd5324f7e2c6",
"shortName": "***",
"dateUpdated": "2026-06-21T16:49:14.695Z"
},
"title": "webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies",
"descriptions": [
{
"lang": "en",
"value": "Impact:\n\nWhen a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).\n\nPatches:\n\nFixed in webpack-dev-server 5.2.5.\n\nWorkarounds:\n\nScope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.",
"supportingMedia": [
{
"type": "text/markdown",
"base64": false,
"value": "### Impact\n\nWhen a user-configured proxy on `webpack-dev-server` has a broad context (e.g. `/`) and `ws: true`, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and `Origin` header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).\n\n### Patches\n\nFixed in `webpack-dev-server` 5.2.5.\n\n### Workarounds\n\nScope user-defined proxy `context` to specific paths instead of `/`, or omit `ws: true` from the proxy entry when WebSocket forwarding is not required."
}
]
}
],
"affected": [
{
"vendor": "npm",
"product": "webpack-dev-server",
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"lessThan": "5.2.5",
"status": "affected",
"versionType": "semver"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"cweId": "CWE-346",
"type": "CWE",
"description": "Origin Validation Error"
},
{
"lang": "en",
"cweId": "CWE-441",
"type": "CWE",
"description": "Unintended Proxy or Intermediary ('Confused Deputy')"
}
]
}
],
"metrics": [
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"baseScore": 5.3,
"baseSeverity": "MEDIUM"
}
}
],
"credits": [
{
"lang": "en",
"type": "coordinator",
"value": "bjohansebas"
},
{
"lang": "en",
"type": "analyst",
"value": "UlisesGascon"
}
],
"references": [
{
"url": "https://github.com/webpack/webpack-dev-server/pull/4316"
},
{
"url": "https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb"
},
{
"url": "https://github.com/facebook/create-react-app/pull/7444"
}
],
"x_generator": {
"engine": "@***foundation/cna-tools 1.0.0-alpha.1"
}
}
}
}
}
-
Improved Documentation: How do you write an effective CVE?, etc...
-
List All Security Advisories: Include CVEs and advisories related to our projects from outside our CNA on the official website.
-
Onboard the CNA Team: This is a proof of concept. Let's discuss the details in upcoming sessions and plan for incremental integrations.
-
Onboard Projects: Let's announce this API and promote its adoption.
-
Node.js Adoption: Collaborate with the team on the existing PRs.
-
Open the POC to the World: Other CNAs may find this pattern valuable.
Next steps
Dreams are extremely important. You can't do it unless you imagine it.
- George Lucas
