5.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-3348

CVE-2023-3348: Cloudflare Wrangler directory traversal vulnerability

Impact

The Wrangler command line tool (<=wrangler@3.1.0 or <=wrangler@2.20.1) was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim's files present outside of the directory for the development server.

Patches

Wrangler2: Upgrade to v2.20.1 or higher. Wrangler3: Upgrade to v3.1.1 or higher.

References

Workers SDK on Github Wrangler docs CVE-2023-3348

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-3348

CVE-2023-3348:

5.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
wrangler	npm	< 2.20.1	2.20.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper path handling in the local development server's asset serving logic. The commit diff shows critical changes in assets.ts where: 1) directory paths are resolved to absolute paths, and 2) a security check was added to ensure resolved file paths start with the build directory. The vulnerable version lacked these protections, allowing attackers to escape the restricted directory via crafted paths. The findAssetEntryForPath() function was directly responsible for mapping URLs to filesystem paths without proper containment checks prior to the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-3348: Cloudflare Wrangler directory traversal vulnerability

Impact

Patches

References

CVE-2023-3348:

5.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.7

5.7

Technical Details

Basic Information

Basic Information

CVE-2023-3348: Cloudflare Wrangler directory traversal vulnerability

Impact

Patches

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI