Path Traversal Vulnerability in webpack-dev-middleware
CVE-2024-29180

7.4HIGH

Key Information:

Vendor: Webpack
Status: Webpack-dev-middleware
Vendor: CVE Published:; 21 March 2024

What is CVE-2024-29180?

The webpack-dev-middleware has a vulnerability that allows for path traversal attacks due to inadequate validation of supplied URL addresses. Before the release of versions 7.1.0, 6.1.2, and 5.3.4, this security flaw could result in unauthorized access to any file on the developer’s machine. The middleware architecture allows file access either from the physical filesystem or a virtual in-memory filesystem, depending on the configuration. If the writeToDisk option is enabled, attackers can exploit this flaw without needing the victim’s consent by connecting directly to a publicly accessible development server. Additionally, attackers could send a malicious link to the victim, enabling local file exfiltration. Effective security measures are in place from newer versions to ensure URLs are properly unescaped and normalized to mitigate these risks.

Affected Version(s)

webpack-dev-middleware >= 7.0.0, < 7.1.0 < 7.0.0, 7.1.0

webpack-dev-middleware >= 6.0.0, < 6.1.2 < 6.0.0, 6.1.2

webpack-dev-middleware < 5.3.4 < 5.3.4

References

https://github.com/webpack/webpack-dev-middleware/securit...

x_refsource_CONFIRM

https://github.com/webpack/webpack-dev-middleware/commit/...

x_refsource_MISC

https://github.com/webpack/webpack-dev-middleware/commit/...

x_refsource_MISC

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 21, 2024
Vulnerability Reserved
Mar 18, 2024

Webpack

What is CVE-2024-29180?

Affected Version(s)

References

CVSS V3.1

Timeline