7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-7078

GHSA ID

GHSA-fwvg-2739-22v7

EPSS Score

0.14075%

CWE

CWE-918

Published

12/29/2023

Updated

12/29/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-7078

CVE-2023-7078: Miniflare vulnerable to Server-Side Request Forgery (SSRF)

Impact

Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in wrangler until 3.19.0), an attacker on the local network could access other local servers.

Patches

The issue was fixed in miniflare@3.20231030.2.

Workarounds

Ensure Miniflare is configured to listen on just local interfaces. This is the default behaviour, but can also be configured with the host: "127.0.0.1" option.

References

https://github.com/cloudflare/workers-sdk/pull/4532

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-7078

GHSA ID

GHSA-fwvg-2739-22v7

EPSS Score

0.14075%

CWE

CWE-918

Published

12/29/2023

Updated

12/29/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
miniflare	npm	>= 3.20230821.0, < 3.20231030.2	3.20231030.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis:

In progress

WAF Protection Rules

WAF Rule

### Imp**t S*n*in* sp**i*lly *r**t** *TTP r*qu*sts to Mini*l*r*'s s*rv*r *oul* r*sult in *r*itr*ry *TTP *n* W**So*k*t r*qu*sts **in* s*nt *rom t** s*rv*r. I* Mini*l*r* w*s *on*i*ur** to list*n on *xt*rn*l n*twork int*r****s (*s w*s t** ****ult in `wr

Reasoning

No *n*lysis *v*il**l*

7.5

Basic Information

Concerned about an active attack path?

CVE-2023-7078: Miniflare vulnerable to Server-Side Request Forgery (SSRF)

Impact

Patches

Workarounds

References

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI