Log inLog in

Variant weakness

Incomplete

CWE-1385: Missing Origin Validation in WebSockets

Also known as: Cross-Site WebSocket hijacking (CSWSH)

The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.

Last updated May 1, 2026

29

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Variant

Abstraction

MITRE classification

Overview

WebSockets provide a bi-directional low latency communication (near real-time) between a client and a server. WebSockets are different than HTTP in that the connections are long-lived, as the channel will remain open until the client or the server is ready to send the message, whereas in HTTP, once the response occurs (which typically happens immediately), the transaction completes. A WebSocket can leverage the existing HTTP protocol over ports 80 and 443, but it is not limited to HTTP. WebSockets can make cross-origin requests that are not restricted by browser-based protection mechanisms such as the Same Origin Policy (SOP) or Cross-Origin Resource Sharing (CORS). Without explicit origin validation, this makes CSRF attacks more powerful.

Real-world CVEs

29 recorded CVEs are caused by CWE-1385 (Missing Origin Validation in WebSockets). The highest-severity and most recent are shown first. 10 new CWE-1385 CVEs have been recorded so far in 2026 (9 in 2025).

CVE-2026-44211

Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability

Critical · CVSS 9.6

2026-06-01

Claude Code IDE extensions allow websocket connections from arbitrary origins

Platform: insecure websocket used when interacting with eda server

High · CVSS 8.1

2024-04-25

CVE-2026-35589

nanobot: Cross-Site WebSocket Hijacking in WhatsApp Bridge (CVE-2026-2577 Fix Update)

Apache Zeppelin: Command Injection via CSWSH

High · CVSS 7.5

2025-08-03

CVE-2025-54289

Privilege Escalation via WebSocket Connection Hijacking in LXD Operations API

High · CVSS 7.4

2025-10-02

Showing 12 of 29 recorded CWE-1385 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-1385 vulnerabilities

Common consequences

What can happen when CWE-1385 is exploited.

Varies by Context, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data, DoS: Crash, Exit, or Restart

Affects: Confidentiality, Integrity, Availability, Non-Repudiation, Access Control

The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could effectively perform any operations as the victim. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web application - deleting or stealing data, uninstalling the product, or using it to launch other attacks against all of the product's users. Because the attacker has the identity of the victim, the scope of the CSRF is limited only by the victim's privileges.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Implementation

Applies to

Technologies

Web Based (Often)

Web Server

How to prevent it

Practical mitigations for CWE-1385, grouped by where in the lifecycle they apply.

Implementation

Enable CORS-like access restrictions by verifying the 'Origin' header during the WebSocket handshake.

Implementation

Use a randomized CSRF token to verify requests.

Implementation

Use TLS to securely communicate using 'wss' (WebSocket Secure) instead of 'ws'.

Architecture and Design

Implementation

Require user authentication prior to the WebSocket connection being established. For example, the WS library in Node has a 'verifyClient' function.

Implementation

Leverage rate limiting to prevent against DoS. Use of the leaky bucket algorithm can help with this.

Effectiveness: Defense in Depth

Implementation

Use a library that provides restriction of the payload size. For example, WS library for Node includes 'maxPayloadoption' that can be set.

Effectiveness: Defense in Depth

Implementation

Treat data/input as untrusted in both directions and apply the same data/input sanitization as XSS, SQLi, etc.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2020-25095 — web console for SIEM product does not check Origin header, allowing Cross Site WebSocket Hijacking (CSWH)
CVE-2018-6651 — Chain: gaming client attempts to validate the Origin header, but only uses a substring, allowing Cross-Site WebSocket hijacking by forcing requests from an origin whose hostname is a substring of the valid origin.
CVE-2018-14730 — WebSocket server does not check the origin of requests, allowing attackers to steal developer's code using a ws://127.0.0.1:3123/ connection.
CVE-2018-14731 — WebSocket server does not check the origin of requests, allowing attackers to steal developer's code using a ws://127.0.0.1/ connection to a randomized port number.
CVE-2018-14732 — WebSocket server does not check the origin of requests, allowing attackers to steal developer's code using a ws://127.0.0.1:8080/ connection.

Terminology & mappings

Alternate terms

Cross-Site WebSocket hijacking (CSWSH): this term is used for attacks that exploit this weakness

Frequently asked questions

Common questions about CWE-1385.

What is CWE-1385?

The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.

What CVEs are caused by CWE-1385?

29 recorded CVEs are attributed to CWE-1385, including CVE-2024-23168, CVE-2025-24964, CVE-2026-44211.

How do you prevent CWE-1385?

Enable CORS-like access restrictions by verifying the 'Origin' header during the WebSocket handshake.

What are the consequences of CWE-1385?

Exploiting CWE-1385 can lead to: Varies by Context, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data, DoS: Crash, Exit, or Restart.

Is CWE-1385 actively exploited?

29 recorded CVEs are caused by CWE-1385; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-1385

Get alerted the moment a new CWE-1385 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Alternate terms

Frequently asked questions

What is CWE-1385?

What CVEs are caused by CWE-1385?

How do you prevent CWE-1385?

What are the consequences of CWE-1385?

Is CWE-1385 actively exploited?

References

Stay ahead of CWE-1385