Plattform
nodejs
Komponente
webpack-dev-middleware
Behoben in
7.0.1
6.0.1
5.3.5
7.1.0
CVE-2024-29180 describes a Path Traversal vulnerability within the webpack-dev-middleware package, a Node.js middleware for webpack development servers. This flaw allows attackers to potentially access arbitrary files on the developer's machine, particularly when the writeToDisk configuration option is enabled. The vulnerability affects versions prior to 7.1.0, and a fix has been released.
The primary impact of CVE-2024-29180 is unauthorized access to sensitive files on the developer's system. If writeToDisk is enabled, an attacker can craft a malicious URL that bypasses intended file access controls. This could expose source code, configuration files containing credentials, or other sensitive data. The blast radius is limited to the developer's machine, but the potential for data compromise is significant, especially in development environments where sensitive information might be present. This vulnerability shares similarities with other path traversal exploits where attackers manipulate file paths to access restricted resources.
CVE-2024-29180 was publicly disclosed on March 21, 2024. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the widespread use of webpack-dev-middleware in development workflows. Monitor security advisories and vulnerability databases for updates.
Development teams using webpack-dev-middleware in their Node.js projects are at risk, especially those who have enabled the writeToDisk option. Shared hosting environments where developers have limited control over server configurations are also particularly vulnerable, as are projects utilizing older, unpatched versions of webpack-dev-middleware.
• nodejs / server:
find / -name 'webpack-dev-middleware' -print
ps aux | grep webpack-dev-middleware
journalctl -u webpack-dev-middleware -f• generic web:
curl -I http://your-server/../../../../etc/passwd
grep '200 OK' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
2.53% (85% Perzentil)
CVSS-Vektor
The recommended mitigation for CVE-2024-29180 is to upgrade to webpack-dev-middleware version 7.1.0 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider disabling the writeToDisk option to prevent file writes to the physical filesystem. Alternatively, implement strict URL validation within the middleware to ensure that only expected files are served. Carefully review and sanitize any user-supplied input used in constructing file paths. After upgrading, confirm the fix by attempting to access a file outside the intended serving directory via a crafted URL; access should be denied.
Actualice webpack-dev-middleware a la versión 7.1.0, 6.1.2 o 5.3.4 o superior. Esto corrige la vulnerabilidad de path traversal al normalizar las URLs antes de procesarlas. Ejecute `npm update webpack-dev-middleware` o `yarn upgrade webpack-dev-middleware` para actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-29180 is a Path Traversal vulnerability in webpack-dev-middleware versions before 7.1.0, allowing attackers to access files on the developer's machine if writeToDisk is enabled.
You are affected if you are using webpack-dev-middleware versions prior to 7.1.0 and have the writeToDisk option enabled.
Upgrade to webpack-dev-middleware version 7.1.0 or later. Alternatively, disable the writeToDisk option or implement strict URL validation.
There is currently no confirmed active exploitation, but public PoCs are likely to emerge, increasing the risk.
Refer to the webpack-dev-middleware GitHub repository for updates and advisories: https://github.com/webpack/webpack-dev-middleware
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.