Lucene search
GoogleOSV:GHSA-FWVG-2739-22V7HistoryDec 29, 2023 - 7:36 p.m.
Miniflare vulnerable to Server-Side Request Forgery (SSRF)
2023-12-2919:36:41
Google
osv.dev
11
miniflare
ssrf vulnerability
http requests
websocket requests
network interfaces
local servers
patch
configuration
github.
Impact
Sending specially crafted HTTP requests to Miniflareās server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in wrangler until 3.19.0), an attacker on the local network could access other local servers.
Patches
The issue was fixed in [email protected].
Workarounds
Ensure Miniflare is configured to listen on just local interfaces. This is the default behaviour, but can also be configured with the host: "127.0.0.1" option.
References
| CPE | Name | Operator | Version |
|---|---|---|---|
| miniflare | ge | 3.20230821.0 | |
| miniflare | lt | 3.20231030.2 |
Related
cvelist
cvelist
CVE-2023-7078 Server-Side Request Forgery (SSRF) in Miniflare
2023-12-29 11:53:06
cve
cve
CVE-2023-7078
2023-12-29 12:15:47
CVE-2023-7080
2023-12-29 12:15:47
veracode
veracode
Server Side Request Forgery
2024-01-02 13:05:06
github
github
Miniflare vulnerable to Server-Side Request Forgery (SSRF)
2023-12-29 19:36:41
osv
osv
CVE-2023-7078
2023-12-29 12:15:47
CVE-2023-7080
2023-12-29 12:15:47
prion
prion
Design/Logic Flaw
2023-12-29 12:15:00
Design/Logic Flaw
2023-12-29 12:15:00