Login Sign Up

CVE-2021-38384

9.8 CRITICAL

📋 TL;DR

Serverless Offline 8.0.0 incorrectly returns a 403 HTTP status code for routes with trailing slashes, while AWS Lambda returns 200. This discrepancy can lead developers to implement overly permissive access controls in production, potentially granting unauthorized access. Only affects developers using Serverless Offline 8.0.0 for local AWS Lambda development.

💻 Affected Systems

Products:
  • Serverless Offline
Versions: 8.0.0 only
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects local development environments using Serverless Offline 8.0.0; production AWS Lambda is not vulnerable.

📦 What is this software?

Serverless Offline by Serverless Offline Project

View all CVEs affecting Serverless Offline →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Production AWS Lambda functions allow unauthorized access to protected resources due to developers incorrectly assuming trailing slash routes return 403 errors.

🟠

Likely Case

Developers waste time debugging inconsistent behavior between local and production environments, potentially deploying insecure configurations.

🟢

If Mitigated

Minimal impact if developers properly test in AWS environment before deployment and don't rely solely on local testing behavior.

🌐 Internet-Facing: LOW
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: LOW

This is a development tool bug, not a production vulnerability. Exploitation requires developer misunderstanding of the discrepancy.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.1

Vendor Advisory: https://github.com/dherault/serverless-offline/issues/1259

Restart Required: Yes

Instructions:

1. Update package.json to use serverless-offline version 8.0.1 or later. 2. Run 'npm update serverless-offline' or 'yarn upgrade serverless-offline'. 3. Restart your development server.

🔧 Temporary Workarounds

Downgrade to 7.x

all

Revert to previous stable version that doesn't have this behavior discrepancy

npm install serverless-offline@7

Manual route testing

all

Manually test all routes with and without trailing slashes in AWS environment before deployment

🧯 If You Can't Patch

  • Always test access control logic directly in AWS Lambda environment, not just locally with Serverless Offline
  • Implement comprehensive integration tests that run against actual AWS endpoints before deployment

🔍 How to Verify

Check if Vulnerable:

Check if serverless-offline version is exactly 8.0.0 in package.json or via 'npm list serverless-offline'

Check Version:

npm list serverless-offline | grep serverless-offline

Verify Fix Applied:

After updating, test a route with trailing slash - it should return 200 status code matching AWS behavior

📡 Detection & Monitoring

Log Indicators:

  • Development logs showing 403 errors for trailing slash routes that work in production

Network Indicators:

  • HTTP 403 responses from local development server for valid AWS Lambda routes

SIEM Query:

Not applicable - this is a development tool issue

📊 Metadata

CVE ID: CVE-2021-38384
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-755
Published: August 10, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38384, you might also want to check these:

CVE-2022-48328 9.8

This vulnerability in MISP (Malware Information Sharing Platform) allows SQL injection through misha...

Same vulnerability type (CWE-755)
CVE-2021-43272 9.8

This vulnerability allows remote code execution through malicious DWF files in Open Design Alliance ...

Same vulnerability type (CWE-755)
CVE-2022-23121 9.8

CVE-2022-23121 is a critical remote code execution vulnerability in Netatalk's AppleDouble parsing f...

Same vulnerability type (CWE-755)