Description

Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in wrangler until 3.19.0), an attacker on the local network could access other local servers.

Remediation

References

https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7

https://github.com/cloudflare/workers-sdk/pull/4532

Related Vulnerabilities

CVE-2021-23463 Vulnerability in maven package com.h2database:h2

CVE-2021-43803 Vulnerability in npm package next

CVE-2021-23440 Vulnerability in npm package set-value

CVE-2020-9038 Vulnerability in npm package joplin

CVE-2021-41097 Vulnerability in npm package aurelia-path

Severity

Critical

Classification

CWE-918 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Patch Third Party Advisory