QID 996516

Date Published: 2024-01-04

QID 996516: NodeJs (Npm) Security Update for wrangler (GHSA-f8mp-x433-5wpf)

The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker.

Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.

CVSS V3 rated as High - 8 severity.

CVSS V2 rated as Medium - 5.4 severity.

Solution

Refer to Github security advisory GHSA-f8mp-x433-5wpf for updates and patch information.

Vendor References

GHSA-f8mp-x433-5wpf - github.com/advisories/GHSA-f8mp-x433-5wpf

CVEs related to QID 996516

CVE-2023-7080 |

Software Advisories

Advisory ID	Software	Component	Link
GHSA-f8mp-x433-5wpf	wrangler		github.com/advisories/GHSA-f8mp-x433-5wpf

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].