Homepage
About Snyk

Improper Handling of Insufficient Privileges Affecting wrangler package, versions >=2.0.0 <2.20.2 >=3.0.0 <3.19.0

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.05% (23rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-WRANGLER-6140500
  • published 31 Dec 2023
  • disclosed 29 Dec 2023
  • credit Lekensteyn
Report a new vulnerability Found a mistake?

Introduced: 29 Dec 2023

CVE-2023-7080 Open this link in a new tab
CWE-274 Open this link in a new tab

How to fix?

Upgrade wrangler to version 2.20.2, 3.19.0 or higher.

Overview

wrangler is a Command-line interface for all things Cloudflare Workers

Affected versions of this package are vulnerable to Improper Handling of Insufficient Privileges via the wrangler dev server configuration. An attacker on the local network can connect to the inspector and execute arbitrary code. Additionally, without proper validation of Origin/Host headers, an attacker could exploit this to run code by convincing a user to visit a malicious website.

Note: If wrangler dev --remote is used, the attacker could also access production resources bound to the worker.

Workaround

This vulnerability can be mitigated by configuring Wrangler to listen on local interfaces instead with wrangler dev --ip 127.0.0.1 to prevent SSRF.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
8.5 high
  • Attack Vector (AV)
    Adjacent
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    None
Expand this section

NVD

8 high