Path Traversal Vulnerability in webpack-dev-middleware
CVE-2024-29180
What is CVE-2024-29180?
The webpack-dev-middleware has a vulnerability that allows for path traversal attacks due to inadequate validation of supplied URL addresses. Before the release of versions 7.1.0, 6.1.2, and 5.3.4, this security flaw could result in unauthorized access to any file on the developer’s machine. The middleware architecture allows file access either from the physical filesystem or a virtual in-memory filesystem, depending on the configuration. If the writeToDisk option is enabled, attackers can exploit this flaw without needing the victim’s consent by connecting directly to a publicly accessible development server. Additionally, attackers could send a malicious link to the victim, enabling local file exfiltration. Effective security measures are in place from newer versions to ensure URLs are properly unescaped and normalized to mitigate these risks.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
webpack-dev-middleware >= 7.0.0, < 7.1.0 < 7.0.0, 7.1.0
webpack-dev-middleware >= 6.0.0, < 6.1.2 < 6.0.0, 6.1.2
webpack-dev-middleware < 5.3.4 < 5.3.4
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved