Platform
nodejs
Component
webpack-dev-middleware
Fixed in
7.0.1
6.0.1
5.3.5
7.1.0
CVE-2024-29180 describes a Path Traversal vulnerability within the webpack-dev-middleware package, a Node.js middleware used for serving static files during development. This flaw allows attackers to potentially access sensitive files on the developer's machine if the writeToDisk configuration option is enabled. The vulnerability affects versions prior to 7.1.0, and a fix has been released.
The core of the vulnerability lies in insufficient URL validation within webpack-dev-middleware. When writeToDisk is set to true, the middleware directly serves files from the physical filesystem. An attacker can craft malicious URLs containing path traversal sequences (e.g., ../..) to navigate outside the intended serving directory and access arbitrary files on the server. This could expose sensitive configuration files, source code, or even system files, depending on the server's permissions. The impact is particularly severe in development environments where sensitive information might be inadvertently exposed. This vulnerability shares similarities with other path traversal exploits where improper input sanitization leads to unauthorized file access.
CVE-2024-29180 was publicly disclosed on March 21, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation, increasing the risk. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
2.53% (85% percentile)
CVSS Vector
The primary mitigation for CVE-2024-29180 is to upgrade to webpack-dev-middleware version 7.1.0 or later, which includes the necessary URL validation fixes. If upgrading is not immediately feasible, consider disabling the writeToDisk option entirely, which forces the middleware to use an in-memory filesystem and eliminates the risk of direct file access. As a temporary workaround, implement strict URL validation on the server-side to prevent path traversal attempts. This could involve whitelisting allowed characters or using a secure URL parsing library. After upgrading, verify the fix by attempting to access files outside the intended serving directory using crafted URLs; access should be denied.
Update webpack-dev-middleware to version 7.1.0, 6.1.2, or 5.3.4 or higher. This fixes the path traversal vulnerability by normalizing URLs before processing them. Run `npm update webpack-dev-middleware` or `yarn upgrade webpack-dev-middleware` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-29180 is a Path Traversal vulnerability in webpack-dev-middleware versions before 7.1.0, allowing attackers to access files on the developer's machine if writeToDisk is enabled.
You are affected if you are using webpack-dev-middleware versions prior to 7.1.0 and have the writeToDisk option enabled.
Upgrade to webpack-dev-middleware version 7.1.0 or later. Alternatively, disable the writeToDisk option or implement strict URL validation.
There is currently no confirmed active exploitation, but public PoCs are likely to emerge, increasing the risk.
Refer to the webpack-dev-middleware GitHub repository for updates and advisories: https://github.com/webpack/webpack-dev-middleware
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.