{"id":3857664,"name":"github.com/loft-sh/devspace","ecosystem":"go","description":"","homepage":"https://github.com/loft-sh/devspace","licenses":"Apache-2.0","normalized_licenses":["Apache-2.0"],"repository_url":"https://github.com/loft-sh/devspace","keywords_array":[],"namespace":"github.com/loft-sh","versions_count":35,"first_release_published_at":"2018-08-17T19:54:21.000Z","latest_release_published_at":"2018-12-20T14:52:23.000Z","latest_release_number":"v2.5.1+incompatible","last_synced_at":"2026-06-02T10:45:53.578Z","created_at":"2022-04-11T21:32:41.302Z","updated_at":"2026-06-02T10:45:53.578Z","registry_url":"https://pkg.go.dev/github.com/loft-sh/devspace","install_command":"go get github.com/loft-sh/devspace","documentation_url":"https://pkg.go.dev/github.com/loft-sh/devspace#section-documentation","metadata":{},"repo_metadata":{"uuid":"145153231","full_name":"loft-sh/devspace","owner":"loft-sh","description":"DevSpace - The Fastest Developer Tool for Kubernetes ⚡ Automate your deployment workflow with DevSpace and develop software directly inside Kubernetes.","archived":false,"fork":false,"pushed_at":"2022-10-21T09:56:08.000Z","size":359062,"stargazers_count":3129,"open_issues_count":167,"forks_count":273,"subscribers_count":47,"default_branch":"main","last_synced_at":"2022-10-21T10:10:36.187Z","etag":null,"topics":["cli","cloud-native","container","containerization","dev","developer-tool","developer-tools","development","development-tools","devops","devops-tools","devspace","devtool","docker","golang","helm","kaniko","kubernetes","microservice","minikube"],"latest_commit_sha":null,"homepage":"https://devspace.sh","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"logo_url":null,"metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null}},"created_at":"2018-08-17T18:18:43.000Z","updated_at":"2022-10-24T21:53:50.597Z","dependencies_parsed_at":"2022-07-10T01:46:49.803Z","dependency_job_id":null,"repository_url":"http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/loft-sh%2Fdevspace","tags_url":"http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/loft-sh%2Fdevspace/tags","manifests_url":"http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/loft-sh%2Fdevspace/manifests","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":31234286,"host_url":"http://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"http://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names"}},"repo_metadata_updated_at":"2023-03-21T19:10:02.271Z","dependent_packages_count":4,"downloads":null,"downloads_period":null,"dependent_repos_count":4,"rankings":{"downloads":null,"dependent_repos_count":2.508663643041937,"dependent_packages_count":2.840038008240442,"stargazers_count":1.2386835669377056,"forks_count":1.7211255716214342,"docker_downloads_count":2.132473889297007,"average":2.088196935827705},"purl":"pkg:golang/github.com/loft-sh/devspace","advisories":[{"uuid":"GSA_kwCzR0hTQS1ocXdtLTd4N3gtODM3Oc4ABWSk","url":"https://github.com/advisories/GHSA-hqwm-7x7x-8379","title":"DevSpace UI Server WebSocket CheckOrigin does not validate source","description":"### Description\n\nDevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to `ws://127.0.0.1:8090`. This allows an attacker to access: \n* `/api/logs` to stream real-time pod logs\n* `/api/enter` to open an interactive shell inside the running pod\n* `/api/command` to execute pre-defined pipeline commands\n\n### Patches\n\nVersions 6.3.21 and above are patched.\n\n### Resources\n\n[gorilla/websocket CheckOrigin documentation](https://pkg.go.dev/github.com/gorilla/websocket#hdr-Origin_Considerations)\n\n### Installation Options\n\nDevspace is no longer publishing to NPM or Yarn, please continue to use our [other installation methods](https://www.devspace.sh/docs/getting-started/installation) to get updates in the future, including this patch.\n\n### Credit\n\nDevSpace thanks @b0b0haha for finding and reporting this vulnerability.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-05-06T17:05:57.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.7,"cvss_vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","references":["https://github.com/devspace-sh/devspace/security/advisories/GHSA-hqwm-7x7x-8379","https://nvd.nist.gov/vuln/detail/CVE-2026-42283","https://github.com/advisories/GHSA-hqwm-7x7x-8379"],"source_kind":"github","identifiers":["GHSA-hqwm-7x7x-8379","CVE-2026-42283"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-06T18:00:09.102Z","updated_at":"2026-05-23T06:00:32.402Z","epss_percentage":0.00005,"epss_percentile":0.0022,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocXdtLTd4N3gtODM3Oc4ABWSk","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1ocXdtLTd4N3gtODM3Oc4ABWSk","packages":[{"ecosystem":"go","package_name":"github.com/loft-sh/devspace","versions":[{"first_patched_version":"6.3.21","vulnerable_version_range":"= 6.3.20"}],"purl":"pkg:go/github.com%2Floft-sh%2Fdevspace"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocXdtLTd4N3gtODM3Oc4ABWSk/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS02aDhjLWd3MzMtY2ptMs4AAlcw","url":"https://github.com/advisories/GHSA-6h8c-gw33-cjm2","title":"DevSpace vulnerable to remote code execution","description":"The UI in DevSpace 4.13.0 allows web sites to execute actions on pods (on behalf of a victim) because of a lack of authentication for the WebSocket protocol. This leads to remote code execution.","origin":"UNSPECIFIED","severity":"CRITICAL","published_at":"2022-05-24T17:24:14.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":9.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","references":["https://nvd.nist.gov/vuln/detail/CVE-2020-15391","https://github.com/devspace-cloud/devspace/releases/tag/v4.14.0","https://github.com/devspace-sh/devspace/issues/1128","https://github.com/advisories/GHSA-6h8c-gw33-cjm2"],"source_kind":"github","identifiers":["GHSA-6h8c-gw33-cjm2","CVE-2020-15391"],"repository_url":"https://github.com/devspace-cloud/devspace","blast_radius":0.0,"created_at":"2023-10-19T19:06:09.158Z","updated_at":"2026-04-05T20:07:27.154Z","epss_percentage":0.02381,"epss_percentile":0.84519,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02aDhjLWd3MzMtY2ptMs4AAlcw","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS02aDhjLWd3MzMtY2ptMs4AAlcw","packages":[{"ecosystem":"go","package_name":"github.com/loft-sh/devspace","versions":[{"first_patched_version":"4.14.0","vulnerable_version_range":"\u003c= 4.13.0"}],"purl":"pkg:go/github.com%2Floft-sh%2Fdevspace"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02aDhjLWd3MzMtY2ptMs4AAlcw/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/go/github.com/loft-sh/devspace","docker_dependents_count":8,"docker_downloads_count":449,"usage_url":"https://repos.ecosyste.ms/usage/go/github.com/loft-sh/devspace","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/go/github.com/loft-sh/devspace/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":null,"versions_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Floft-sh%2Fdevspace/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Floft-sh%2Fdevspace/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Floft-sh%2Fdevspace/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Floft-sh%2Fdevspace/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Floft-sh%2Fdevspace/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Floft-sh%2Fdevspace/codemeta","maintainers":[]}