{"id":"CVE-2023-7080","details":"The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker.\n\nThis issue was fixed in wrangler@3.19.0 and wrangler@2.20.2. Whilst wrangler dev's inspector server listens on local interfaces by default as of wrangler@3.16.0, an  SSRF vulnerability in miniflare https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7  (CVE-2023-7078) allowed access from the local network until wrangler@3.18.0. wrangler@3.19.0 and wrangler@2.20.2 introduced validation for the Origin/Host headers.\n","aliases":["GHSA-f8mp-x433-5wpf"],"modified":"2026-04-10T05:07:46.146063Z","published":"2023-12-29T12:15:47.970Z","related":["GHSA-f8mp-x433-5wpf"],"references":[{"type":"FIX","url":"https://github.com/cloudflare/workers-sdk/issues/4430"},{"type":"FIX","url":"https://github.com/cloudflare/workers-sdk/pull/4437"},{"type":"FIX","url":"https://github.com/cloudflare/workers-sdk/pull/4535"},{"type":"FIX","url":"https://github.com/cloudflare/workers-sdk/pull/4550"},{"type":"FIX","url":"https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-f8mp-x433-5wpf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cloudflare/workers-sdk","events":[{"introduced":"68ddad51d3d57925fa760ce80aba5584d6749156"},{"fixed":"4d2646d5d05b8ef93ad04cdd5bfe35f3972a5f79"},{"introduced":"1b62dbb2db15c31a662236f231243df3c63303a0"},{"fixed":"5e67ea176ac03718061b49bce6311ce169a355bd"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"fixed":"2.20.2"},{"introduced":"3.0.0"},{"fixed":"3.19.0"}]}}],"versions":["@cloudflare/pages-shared@0.0.10","@cloudflare/pages-shared@0.0.11","@cloudflare/pages-shared@0.0.12","@cloudflare/pages-shared@0.0.9","@cloudflare/pages-shared@0.10.0","@cloudflare/pages-shared@0.10.1","@cloudflare/pages-shared@0.11.0","@cloudflare/pages-shared@0.11.1","@cloudflare/pages-shared@0.11.2","@cloudflare/pages-shared@0.2.0","@cloudflare/pages-shared@0.3.0","@cloudflare/pages-shared@0.3.1","@cloudflare/pages-shared@0.3.2","@cloudflare/pages-shared@0.3.3","@cloudflare/pages-shared@0.3.4","@cloudflare/pages-shared@0.3.5","@cloudflare/pages-shared@0.4.0","@cloudflare/pages-shared@0.4.1","@cloudflare/pages-shared@0.4.2","@cloudflare/pages-shared@0.5.0","@cloudflare/pages-shared@0.5.1","@cloudflare/pages-shared@0.5.2","@cloudflare/pages-shared@0.5.3","@cloudflare/pages-shared@0.7.0","@cloudflare/pages-shared@0.8.0","@cloudflare/pages-shared@0.8.1","@cloudflare/pages-shared@0.8.2","@cloudflare/pages-shared@0.9.0","@cloudflare/prerelease-registry@0.0.2","@cloudflare/wrangler-devtools@0.0.0","create-cloudflare@2.0.10","create-cloudflare@2.0.11","create-cloudflare@2.0.13","create-cloudflare@2.0.14","create-cloudflare@2.0.3","create-cloudflare@2.0.5","create-cloudflare@2.0.6","create-cloudflare@2.0.7","create-cloudflare@2.0.8","create-cloudflare@2.0.9","create-cloudflare@2.1.0","create-cloudflare@2.1.1","create-cloudflare@2.2.0","create-cloudflare@2.2.1","create-cloudflare@2.2.2","create-cloudflare@2.2.3","create-cloudflare@2.3.0","create-cloudflare@2.3.1","create-cloudflare@2.4.0","create-cloudflare@2.4.1","create-cloudflare@2.5.0","create-cloudflare@2.6.0","create-cloudflare@2.6.1","create-cloudflare@2.6.2","create-cloudflare@2.7.0","create-cloudflare@2.7.1","create-cloudflare@2.8.0","d1-example@0.0.0","d1-worker-app@1.0.0","external-durable-objects-app@undefined","fixtures-shared@0.0.0","images.pages.dev@0.1.0","isomorphic-random-example@0.0.1","jest-environment-wrangler@0.0.31","legacy-site-app@0.0.0","local-mode-tests@1.0.1","miniflare@3.0.0","miniflare@3.0.0-next.1","miniflare@3.0.0-next.10","miniflare@3.0.0-next.11","miniflare@3.0.0-next.12","miniflare@3.0.0-next.13","miniflare@3.0.0-next.2","miniflare@3.0.0-next.3","miniflare@3.0.0-next.4","miniflare@3.0.0-next.6","miniflare@3.0.0-next.7","miniflare@3.0.0-next.8","miniflare@3.0.0-next.9","miniflare@3.0.0-rc.1","miniflare@3.0.1","miniflare@3.0.2","miniflare@3.20230628.0","miniflare@3.20230710.0","miniflare@3.20230717.0","miniflare@3.20230724.0","miniflare@3.20230801.0","miniflare@3.20230807.0","miniflare@3.20230814.0","miniflare@3.20230814.1","miniflare@3.20230821.0","miniflare@3.20230904.0","miniflare@3.20230918.0","miniflare@3.20230922.0","miniflare@3.20231002.0","miniflare@3.20231002.1","miniflare@3.20231010.0","miniflare@3.20231016.0","miniflare@3.20231023.0","miniflare@3.20231025.0","miniflare@3.20231030.0","miniflare@3.20231030.1","miniflare@3.20231030.2","news-feed-app@0.1.0","no-bundle-import@0.0.0","node-app-pages@0.0.0","pages-d1-shim@0.0.0","pages-functions-app@0.0.0","pages-functions-cors@0.0.0","pages-functions-wasm-app@0.0.1","pages-functions-with-routes-app@0.0.1","pages-plugin-example@0.0.0","pages-plugin-mounted-on-root-app@0.0.0","pages-plugin-static-forms@0.0.0","pages-workerjs-and-functions-app@0.0.1","pages-workerjs-app@0.0.0","pages-workerjs-wasm-app@0.0.1","pages-workerjs-with-routes-app@0.0.1","pages-ws-app@0.0.0","prospector@0.0.0","remix-pages-app@undefined","routing-app@0.0.0","rules-app@1.0.0","service-bindings-app@undefined","sites-app@0.0.0","solarflare-theme@0.0.1","solarflare-theme@0.0.2","template-worker-aws@0.0.0","template-worker-d1@1.0.0","template-worker-durable-objects@0.0.0","template-worker-mysql@0.0.0","template-worker-postgres@0.0.0","template-worker-r2@0.0.0","template-worker-router@0.0.0","template-worker-sites-react@0.0.0","template-worker-sites@0.0.0","template-worker-speedtest@0.0.0","template-worker-typescript@0.0.0","template-worker-websocket@0.0.0","template-worker-worktop@0.0.0","template-worker@0.0.0","v2.0.8","wasm-app@1.0.0","worker-app@1.0.1","worker-example-request-scheduler@0.0.0","worker-example-wordle@0.0.0","worker-openapi@1.0.0","workers-analytics-engine-template@0.0.0","workers-chat-demo@1.0.0","workers-websocket-durable-objects@0.0.0","workers.new@0.0.0","wrangler-dev-api-app@1.0.0","wrangler@2.0.0","wrangler@2.0.1","wrangler@2.0.11","wrangler@2.0.12","wrangler@2.0.14","wrangler@2.0.15","wrangler@2.0.16","wrangler@2.0.17","wrangler@2.0.18","wrangler@2.0.19","wrangler@2.0.2","wrangler@2.0.21","wrangler@2.0.22","wrangler@2.0.23","wrangler@2.0.24","wrangler@2.0.25","wrangler@2.0.26","wrangler@2.0.27","wrangler@2.0.28","wrangler@2.0.29","wrangler@2.0.3","wrangler@2.0.5","wrangler@2.0.6","wrangler@2.0.7","wrangler@2.0.8","wrangler@2.0.9","wrangler@2.1.0","wrangler@2.1.1","wrangler@2.1.10","wrangler@2.1.11","wrangler@2.1.12","wrangler@2.1.13","wrangler@2.1.14","wrangler@2.1.15","wrangler@2.1.2","wrangler@2.1.3","wrangler@2.1.4","wrangler@2.1.5","wrangler@2.1.6","wrangler@2.1.7","wrangler@2.1.8","wrangler@2.1.9","wrangler@2.10.0","wrangler@2.11.0","wrangler@2.11.1","wrangler@2.12.0","wrangler@2.12.1","wrangler@2.12.2","wrangler@2.12.3","wrangler@2.13.0","wrangler@2.14.0","wrangler@2.15.0","wrangler@2.15.1","wrangler@2.16.0","wrangler@2.17.0","wrangler@2.18.0","wrangler@2.19.0","wrangler@2.2.0","wrangler@2.2.1","wrangler@2.2.2","wrangler@2.2.3","wrangler@2.20.0","wrangler@2.20.1","wrangler@2.3.0","wrangler@2.3.1","wrangler@2.3.2","wrangler@2.4.0","wrangler@2.4.1","wrangler@2.4.2","wrangler@2.4.3","wrangler@2.4.4","wrangler@2.5.0","wrangler@2.6.0","wrangler@2.6.1","wrangler@2.6.2","wrangler@2.7.0","wrangler@2.7.1","wrangler@2.8.0","wrangler@2.8.1","wrangler@2.9.0","wrangler@2.9.1","wrangler@3.0.0","wrangler@3.0.1","wrangler@3.1.0","wrangler@3.1.1","wrangler@3.1.2","wrangler@3.10.0","wrangler@3.10.1","wrangler@3.11.0","wrangler@3.12.0","wrangler@3.13.0","wrangler@3.13.1","wrangler@3.13.2","wrangler@3.14.0","wrangler@3.15.0","wrangler@3.16.0","wrangler@3.17.0","wrangler@3.17.1","wrangler@3.18.0","wrangler@3.2.0","wrangler@3.3.0","wrangler@3.4.0","wrangler@3.5.0","wrangler@3.5.1","wrangler@3.6.0","wrangler@3.7.0","wrangler@3.8.0","wrangler@3.9.0","wrangler@3.9.1","wranglerjs-compat-webpack-plugin@0.0.2","wranglerjs-compat-webpack-plugin@0.0.3","wranglerjs-compat-webpack-plugin@0.0.4","wranglerjs-compat-webpack-plugin@0.0.5","wranglerjs-compat-webpack-plugin@0.0.7","wranglerjs-compat-webpack-plugin@0.0.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-7080.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}