CVE-2023-7080
📋 TL;DR
This vulnerability in Cloudflare Wrangler's development server allowed arbitrary code execution within Workers sandbox via the V8 inspector. Attackers on the local network could connect to the inspector server and execute code, potentially accessing production resources when using wrangler dev --remote. Users running vulnerable versions of wrangler dev on shared networks were affected.
💻 Affected Systems
- Cloudflare Wrangler
📦 What is this software?
Wrangler by Cloudflare
Wrangler by Cloudflare
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains remote code execution on developer's machine, accesses production Cloudflare Workers resources, and potentially compromises sensitive data or infrastructure.
Likely Case
Attacker on same local network executes arbitrary code within the Workers sandbox, potentially accessing bound resources and developer environment.
If Mitigated
Limited to localhost access only, preventing network-based attacks while maintaining debugging functionality.
🎯 Exploit Status
Exploitation requires attacker on same local network. No authentication needed to connect to inspector server in vulnerable versions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: wrangler@3.19.0 and wrangler@2.20.2
Vendor Advisory: https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-f8mp-x433-5wpf
Restart Required: Yes
Instructions:
1. Update wrangler using npm: npm install -g wrangler@latest
2. Verify installation: wrangler --version
3. Restart any running wrangler dev sessions
🔧 Temporary Workarounds
Disable inspector server
allRun wrangler dev without inspector server enabled
wrangler dev --inspector-port=0
Use localhost binding only
allForce inspector to bind only to localhost interfaces
wrangler dev --inspector-host=localhost
🧯 If You Can't Patch
- Do not run wrangler dev on shared or untrusted networks
- Use network segmentation to isolate development machines from other network devices
🔍 How to Verify
Check if Vulnerable:
Check wrangler version: wrangler --version. If version is below 3.19.0 (for v3) or below 2.20.2 (for v2), you are vulnerable.Check Version:
wrangler --versionVerify Fix Applied:
After updating, verify version shows 3.19.0+ or 2.20.2+. Test that inspector server only listens on localhost interfaces.📡 Detection & Monitoring
Log Indicators:
- Unexpected connections to inspector port (default 9229)
- Network connections from unexpected IPs to wrangler dev process
Network Indicators:
- TCP connections to port 9229 from non-localhost addresses
- HTTP requests to inspector endpoint without proper Origin/Host headers
SIEM Query:
destination.port:9229 AND NOT source.ip:127.0.0.1 AND NOT source.ip: ::1🔗 References
- https://github.com/cloudflare/workers-sdk/issues/4430
- https://github.com/cloudflare/workers-sdk/pull/4437
- https://github.com/cloudflare/workers-sdk/pull/4535
- https://github.com/cloudflare/workers-sdk/pull/4550
- https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-f8mp-x433-5wpf
- https://github.com/cloudflare/workers-sdk/issues/4430
- https://github.com/cloudflare/workers-sdk/pull/4437
- https://github.com/cloudflare/workers-sdk/pull/4535
- https://github.com/cloudflare/workers-sdk/pull/4550
- https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-f8mp-x433-5wpf
