CVE-2023-7078: Server-Side Request Forgery (SSRF)

December 29, 2023 (updated January 5, 2024)

Sending specially crafted HTTP requests to Miniflare’s server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in wrangler until 3.19.0), an attacker on the local network could access other local servers.

References

github.com/advisories/GHSA-fwvg-2739-22v7
github.com/cloudflare/workers-sdk/pull/4532
github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7
nvd.nist.gov/vuln/detail/CVE-2023-7078

Detect and mitigate CVE-2023-7078 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →