CVE-2023-7078 — Server-Side Request Forgery in Wrangler

CWE-918 — Server-Side Request Forgery4 documents3 sources

Severity

8.1HIGHNVD

NVD8.0

EPSS

0.1%

top 78.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudflare Wrangler Cloudflare Miniflare

Timeline

PublishedDec 29

Description

Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in wrangler until 3.19.0), an attacker on the local network could access other local servers.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages4 packages

▶NVDcloudflare/miniflare3.20230821.0 — 3.20231030.2

▶npmcloudflare/miniflare3.20230821.0 — 3.20231030.2

▶CVEListV5cloudflare/wrangler< 3.19.0+2

▶NVDcloudflare/wrangler2.0.0 — 2.20.2+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Miniflare vulnerable to Server-Side Request Forgery (SSRF)↗2023-12-29

▶

OSV

Miniflare vulnerable to Server-Side Request Forgery (SSRF)↗2023-12-29

▶