Lucene search

K
githubGitHub Advisory DatabaseGHSA-FWVG-2739-22V7
HistoryDec 29, 2023 - 7:36 p.m.

Miniflare vulnerable to Server-Side Request Forgery (SSRF)

2023-12-2919:36:41
CWE-918
GitHub Advisory Database
github.com
17
miniflare
server-side request forgery
http requests
websocket requests
vulnerability
patch
workaround
cloudflare.

8.1 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

7 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.0%

Impact

Sending specially crafted HTTP requests to Miniflare’s server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in wrangler until 3.19.0), an attacker on the local network could access other local servers.

Patches

The issue was fixed in [email protected].

Workarounds

Ensure Miniflare is configured to listen on just local interfaces. This is the default behaviour, but can also be configured with the host: "127.0.0.1" option.

References

Affected configurations

Vulners
Node
github_advisory_databaseminiflareRange<3.20231030.2
CPENameOperatorVersion
miniflarelt3.20231030.2

8.1 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

7 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.0%

Related for GHSA-FWVG-2739-22V7