CVE-2023-34238

Name of the Vulnerable Software and Affected Versions Gatsby versions prior to 4.25.7 and 5.9.1

Description The Gatsby framework contains a Local File Inclusion vulnerability in the file-code-frame and original-stack-frame paths, exposed when running the Gatsby develop server (gatsby develop). Any file in scope of the development server could potentially be exposed. By default, gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability.

Recommendations For versions prior to 4.25.7, upgrade to version 4.25.7 or later. For versions prior to 5.9.1, upgrade to version 5.9.1 or later. As a temporary workaround, consider restricting access to the development server to minimize the risk of exploitation by preventing it from being exposed to untrusted interfaces or IP address ranges. Avoid using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY HOST=0.0.0.0 environment variable, which could expose the server to other interfaces.