Lekensteyn

**Name of the Vulnerable Software and Affected Versions** Miniflare versions prior to 3.20231030.2 **Description** Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces, as was the default in wrangler until 3.19.0, an attacker on the local network could access other local servers. **Recommendations** For versions prior to 3.20231030.2, update to version 3.20231030.2 or later to resolve the issue. As a temporary workaround, ensure Miniflare is configured to listen on just local interfaces by using the host: "127.0.0.1" option.

**Name of the Vulnerable Software and Affected Versions** Wrangler versions prior to 3.19.0 **Description** Sending specially crafted HTTP requests and inspector messages to Wrangler's dev server could result in any file on the user's computer being accessible over the local network. An attacker that could trick any user on the local network into opening a malicious website could also read any file. **Recommendations** For versions prior to 3.19.0, update to version 3.19.0 or later. As a temporary workaround, configure Wrangler to listen on local interfaces instead with `wrangler dev --ip 127.0.0.1`. This removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website.

**Name of the Vulnerable Software and Affected Versions** wrangler versions prior to 3.19.0 wrangler versions prior to 2.20.2 **Description** The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. `wrangler dev` would previously start an inspector server listening on all network interfaces, allowing an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate `Origin`/`Host` headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If `wrangler dev --remote` was being used, an attacker could access production resources if they were bound to the worker. **Recommendations** For versions prior to 3.19.0, upgrade to at least `wrangler@3.19.0` to introduce validation for the `Origin`/`Host` headers. For versions prior to 2.20.2, upgrade to at least `wrangler@2.20.2` to introduce validation for the `Origin`/`Host` headers. As a temporary workaround, consider configuring Wrangler to listen on local interfaces instead with `wrangler dev --ip 127.0.0.1` to prevent SSRF.