CVE-2023-7078
Miniflare vulnerable to Server-Side Request Forgery (SSRF)
Description
### Impact Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in `wrangler` until `3.19.0`), an attacker on the local network could access other local servers. ### Patches The issue was fixed in `[email protected]`. ### Workarounds Ensure Miniflare is configured to listen on just local interfaces. This is the default behaviour, but can also be configured with the `host: "127.0.0.1"` option. ### References - https://github.com/cloudflare/workers-sdk/pull/4532
How to fix CVE-2023-7078
To remediate CVE-2023-7078, upgrade the affected package to a fixed version below.
- —upgrade to 3.20231030.2 or later
Is CVE-2023-7078 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 3.20230821.0, < 3.20231030.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |