CVE-2023-7078 – CVE-2023-7078 is a server-side request forgery ... (How to Fix)

Q: How do I fix CVE-2023-7078?

1. Update wrangler to version 3.19.0 or later using npm update -g wrangler or your package manager. 2. Restart any running Miniflare development servers.

Q: What is the severity of CVE-2023-7078?

CVE-2023-7078 has a CVSS score of 7.5 (HIGH). CVE-2023-7078 is a server-side request forgery (SSRF) vulnerability in Miniflare's development server that allows attackers to send arbitrary HTTP and WebSocket requests from the server. This affects users running Miniflare with default configurations that listen on external network interfaces, potentially exposing internal services to attackers on the same local network.

📋 TL;DR

CVE-2023-7078 is a server-side request forgery (SSRF) vulnerability in Miniflare's development server that allows attackers to send arbitrary HTTP and WebSocket requests from the server. This affects users running Miniflare with default configurations that listen on external network interfaces, potentially exposing internal services to attackers on the same local network.

💻 Affected Systems

Products:

Miniflare
wrangler (Cloudflare Workers CLI)

Versions: wrangler versions before 3.19.0 with default Miniflare configuration

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when Miniflare server is configured to listen on external interfaces (was default in wrangler <3.19.0)

📦 What is this software?

Miniflare by Cloudflare

View all CVEs affecting Miniflare →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could pivot through the vulnerable server to access sensitive internal services, databases, or cloud metadata endpoints, potentially leading to data exfiltration or further network compromise.

🟠

Likely Case

Local network attackers could scan and interact with other internal services that shouldn't be externally accessible, potentially accessing development servers, databases, or administrative interfaces.

🟢

If Mitigated

If properly configured to listen only on localhost or behind proper network segmentation, the impact is limited to the local machine only.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the vulnerable server and involves sending specially crafted HTTP requests

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: wrangler 3.19.0+

Vendor Advisory: https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7

Restart Required: Yes

Instructions:

1. Update wrangler to version 3.19.0 or later using npm update -g wrangler or your package manager. 2. Restart any running Miniflare development servers.

🔧 Temporary Workarounds

Bind to localhost only

all

Configure Miniflare to listen only on localhost instead of external interfaces

wrangler dev --host localhost
miniflare --host localhost

Use network firewall

all

Block external access to Miniflare's default port (8787) using host or network firewall

sudo ufw deny 8787
netsh advfirewall firewall add rule name="Block Miniflare" dir=in action=block protocol=TCP localport=8787

🧯 If You Can't Patch

Configure Miniflare to bind only to 127.0.0.1/localhost instead of 0.0.0.0
Place the development server behind a properly configured reverse proxy or VPN with strict access controls

🔍 How to Verify

Check if Vulnerable:

Check if wrangler version is below 3.19.0 and Miniflare is listening on external interfaces (not just localhost)

Check Version:

wrangler --version

Verify Fix Applied:

Verify wrangler version is 3.19.0+ and confirm Miniflare only listens on localhost when started

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to Miniflare server with crafted URLs pointing to internal addresses
Outbound requests from Miniflare to unexpected internal services

Network Indicators:

Traffic from Miniflare server to internal services not normally accessed
SSRF patterns in HTTP requests to Miniflare

SIEM Query:

source="miniflare" AND (url="*://127.*" OR url="*://10.*" OR url="*://192.168.*" OR url="*://172.16.*")

📊 Metadata

CVE ID: CVE-2023-7078

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-918

Published: December 29, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/cloudflare/workers-sdk/pull/4532 Patch
https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7 Patch,Third Party Advisory
https://github.com/cloudflare/workers-sdk/pull/4532 Patch
https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-7078, you might also want to check these: