Homepage
About Snyk

Arbitrary File Read Affecting wrangler package, versions >=3.9.0 <3.18.0

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-WRANGLER-6140498
  • published 31 Dec 2023
  • disclosed 29 Dec 2023
  • credit Lekensteyn
Report a new vulnerability Found a mistake?

Introduced: 29 Dec 2023

CVE-2023-7079 Open this link in a new tab
CWE-22 Open this link in a new tab

How to fix?

Upgrade wrangler to version 3.18.0 or higher.

Overview

wrangler is a Command-line interface for all things Cloudflare Workers

Affected versions of this package are vulnerable to Arbitrary File Read by specially crafted HTTP requests and inspector messages to the dev server. An attacker can access any file on the user's computer over the local network by convincing a user to open a malicious website.

Workaround

This vulnerability can be mitigated by configuring Wrangler to listen on local interfaces instead with wrangler dev --ip 127.0.0.1. This does not prevent the visiting of a malicious website.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
6.4 medium
  • Attack Vector (AV)
    Adjacent
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

NVD

5.7 medium