AIKIDO-2026-10266
elm-watch is vulnerable to Improper Authentication
42
Medium Risk
This Affects:
elm-watchTL;DR
Affected versions of this package allow WebSocket connections even when an invalid or missing secret token is provided, failing to properly enforce authentication and enabling unauthorized clients to establish a limited session. An attacker could exploit this by initiating unauthorized WebSocket connections from a malicious website and triggering the PressedOpenEditor command, potentially executing the victim’s configured editor command. While no sensitive data is exposed and most commands are ignored, this could lead to command execution risks if the editor command is insecure or cause disruptive behavior. The issue is fixed by rejecting invalid tokens with a 401 response and preventing connection establishment.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
elm-watch is vulnerable to Improper Authentication in versions 1.2.1 - 1.2.4.
How to fix this
Upgrade the elm-watch library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant