CVE-2025-47269 code-server session cookie can be extracted by having user visit specially crafted proxy URL

code-server runs VS Code on any machine anywhere through browser access. Prior to version 4.99.4, a maliciously crafted URL using the proxy subpath can result in the attacker gaining access to the session token. Failure to properly validate the port for a proxy request can result in proxying to a...

CVE-2025-47269

Summary: The code-server CVE-2025-47269 vulnerability affects versions before 4.99.4, where a maliciously crafted URL using the built-in proxy /proxy subpath can cause the proxy to forward to an attacker-controlled domain, potentially exposing a user’s session token and enabling session hijacking...