{"id":"CVE-2023-3348","details":"The Wrangler command line tool  (\u003c=wrangler@3.1.0 or \u003c=wrangler@2.20.1) was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim's files present outside of the directory for the development server.\n\n\n\n","aliases":["GHSA-8c93-4hch-xgxp"],"modified":"2026-03-14T12:07:17.476138Z","published":"2023-08-03T15:15:30.227Z","related":["GHSA-8c93-4hch-xgxp"],"references":[{"type":"WEB","url":"https://developers.cloudflare.com/workers/wrangler/"},{"type":"ADVISORY","url":"https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-8c93-4hch-xgxp"},{"type":"PACKAGE","url":"https://github.com/cloudflare/workers-sdk"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cloudflare/workers-sdk","events":[{"introduced":"0"},{"fixed":"881ea7be43bcd5a3b7ea1d708c04408c9c27d50d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.1.1"}]}}],"versions":["@cloudflare/pages-shared@0.0.10","@cloudflare/pages-shared@0.0.11","@cloudflare/pages-shared@0.0.12","@cloudflare/pages-shared@0.0.9","@cloudflare/pages-shared@0.2.0","@cloudflare/pages-shared@0.3.0","@cloudflare/pages-shared@0.3.1","@cloudflare/pages-shared@0.3.2","@cloudflare/pages-shared@0.3.3","@cloudflare/pages-shared@0.3.4","@cloudflare/pages-shared@0.3.5","@cloudflare/pages-shared@0.4.0","@cloudflare/pages-shared@0.4.1","@cloudflare/pages-shared@0.4.2","@cloudflare/pages-shared@0.5.0","@cloudflare/pages-shared@0.5.1","@cloudflare/prerelease-registry@0.0.2","@cloudflare/wrangler-devtools@0.0.0","create-cloudflare@2.0.3","create-cloudflare@2.0.5","create-cloudflare@2.0.6","create-cloudflare@2.0.7","create-cloudflare@2.0.8","create-cloudflare@2.0.9","d1-example@0.0.0","d1-worker-app@1.0.0","example-wasm-app@1.0.0","external-durable-objects-app@undefined","images.pages.dev@0.1.0","isomorphic-random-example@0.0.1","jest-environment-wrangler@0.0.24","jest-environment-wrangler@0.0.26","jest-environment-wrangler@0.0.28","jest-environment-wrangler@0.0.29","jest-environment-wrangler@0.0.31","legacy-site-app@0.0.0","local-mode-tests@1.0.1","news-feed-app@0.1.0","no-bundle-import@0.0.0","node-app-pages@0.0.0","pages-d1-shim@0.0.0","pages-functions-app@0.0.0","pages-functions-cors@0.0.0","pages-functions-wasm-app@0.0.1","pages-functions-with-routes-app@0.0.1","pages-plugin-example@0.0.0","pages-plugin-mounted-on-root-app@0.0.0","pages-plugin-static-forms@0.0.0","pages-workerjs-and-functions-app@0.0.1","pages-workerjs-app@0.0.0","pages-workerjs-wasm-app@0.0.1","pages-workerjs-with-routes-app@0.0.1","pages-ws-app@0.0.0","prospector@0.0.0","remix-pages-app@undefined","rules-app@1.0.0","service-bindings-app@undefined","sites-app@0.0.0","solarflare-theme@0.0.1","solarflare-theme@0.0.2","template-worker-aws@0.0.0","template-worker-d1@1.0.0","template-worker-durable-objects@0.0.0","template-worker-mysql@0.0.0","template-worker-postgres@0.0.0","template-worker-r2@0.0.0","template-worker-router@0.0.0","template-worker-sites-react@0.0.0","template-worker-sites@0.0.0","template-worker-speedtest@0.0.0","template-worker-typescript@0.0.0","template-worker-websocket@0.0.0","template-worker-worktop@0.0.0","template-worker@0.0.0","v2.0.8","wasm-app@1.0.0","worker-app@1.0.1","worker-example-request-scheduler@0.0.0","worker-example-wordle@0.0.0","worker-openapi@1.0.0","workers-analytics-engine-template@0.0.0","workers-chat-demo@1.0.0","workers-websocket-durable-objects@0.0.0","workers.new@0.0.0","wrangler-dev-api-app@1.0.0","wrangler@0.0.10","wrangler@0.0.11","wrangler@0.0.12","wrangler@0.0.13","wrangler@0.0.14","wrangler@0.0.15","wrangler@0.0.16","wrangler@0.0.17","wrangler@0.0.18","wrangler@0.0.19","wrangler@0.0.21","wrangler@0.0.22","wrangler@0.0.23","wrangler@0.0.24","wrangler@0.0.25","wrangler@0.0.26","wrangler@0.0.27","wrangler@0.0.28","wrangler@0.0.29","wrangler@0.0.30","wrangler@0.0.31","wrangler@0.0.32","wrangler@0.0.33","wrangler@0.0.34","wrangler@0.0.5","wrangler@0.0.6","wrangler@0.0.7","wrangler@0.0.8","wrangler@0.0.9","wrangler@2.0.0","wrangler@2.0.1","wrangler@2.0.11","wrangler@2.0.12","wrangler@2.0.14","wrangler@2.0.15","wrangler@2.0.16","wrangler@2.0.17","wrangler@2.0.18","wrangler@2.0.19","wrangler@2.0.2","wrangler@2.0.21","wrangler@2.0.22","wrangler@2.0.23","wrangler@2.0.24","wrangler@2.0.25","wrangler@2.0.26","wrangler@2.0.27","wrangler@2.0.28","wrangler@2.0.29","wrangler@2.0.3","wrangler@2.0.5","wrangler@2.0.6","wrangler@2.0.7","wrangler@2.0.8","wrangler@2.0.9","wrangler@2.1.0","wrangler@2.1.1","wrangler@2.1.10","wrangler@2.1.11","wrangler@2.1.12","wrangler@2.1.13","wrangler@2.1.14","wrangler@2.1.15","wrangler@2.1.2","wrangler@2.1.3","wrangler@2.1.4","wrangler@2.1.5","wrangler@2.1.6","wrangler@2.1.7","wrangler@2.1.8","wrangler@2.1.9","wrangler@2.10.0","wrangler@2.11.0","wrangler@2.11.1","wrangler@2.12.0","wrangler@2.12.1","wrangler@2.12.2","wrangler@2.12.3","wrangler@2.13.0","wrangler@2.14.0","wrangler@2.15.0","wrangler@2.15.1","wrangler@2.16.0","wrangler@2.17.0","wrangler@2.18.0","wrangler@2.19.0","wrangler@2.2.0","wrangler@2.2.1","wrangler@2.2.2","wrangler@2.2.3","wrangler@2.20.0","wrangler@2.3.0","wrangler@2.3.1","wrangler@2.3.2","wrangler@2.4.0","wrangler@2.4.1","wrangler@2.4.2","wrangler@2.4.3","wrangler@2.4.4","wrangler@2.5.0","wrangler@2.6.0","wrangler@2.6.1","wrangler@2.6.2","wrangler@2.7.0","wrangler@2.7.1","wrangler@2.8.0","wrangler@2.8.1","wrangler@2.9.0","wrangler@2.9.1","wrangler@3.0.0","wrangler@3.0.1","wrangler@3.1.0","wranglerjs-compat-webpack-plugin@0.0.2","wranglerjs-compat-webpack-plugin@0.0.3","wranglerjs-compat-webpack-plugin@0.0.4","wranglerjs-compat-webpack-plugin@0.0.5","wranglerjs-compat-webpack-plugin@0.0.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-3348.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}