CVE-2024-29180

Name of the Vulnerable Software and Affected Versions: webpack-dev-middleware versions prior to 7.1.0 webpack-dev-middleware versions prior to 6.1.2 webpack-dev-middleware versions prior to 5.3.4

Description: The webpack-dev-middleware does not sufficiently validate the supplied URL address before returning the local file, potentially allowing access to any file on the developer's machine. The middleware can operate with either the physical filesystem (when writeToDisk is set to true) or a virtualized in-memory memfs filesystem. The getFilenameFromUrl method parses the URL and constructs the local file path. Because the URL is not automatically unescaped and normalized before processing, sequences like %2e and %2f can be used to perform a path traversal attack. Developers using webpack-dev-server or webpack-dev-middleware are affected. An attacker could potentially access and exfiltrate files from the developer's machine, especially if the development server is listening on a public IP address or allows access from third-party domains.

Recommendations: Update to webpack-dev-middleware version 7.1.0 or later. Update to webpack-dev-middleware version 6.1.2 or later. Update to webpack-dev-middleware version 5.3.4 or later.