CVE-2023-7078: 
JavaScript vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Miniflare versions 3.20230821.0 through 3.20231030.2. The vulnerability allows an attacker to send specially crafted HTTP requests to Miniflare's server, resulting in arbitrary HTTP and WebSocket requests being sent from the server. This vulnerability was particularly concerning when Miniflare was configured to listen on external network interfaces, which was the default behavior in wrangler until version 3.19.0 (GitHub Advisory).

The vulnerability is classified as CWE-918 (Server-Side Request Forgery) with a CVSS v3.1 base score of 8.1 HIGH (NIST: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). Cloudflare assigned it a slightly different CVSS score of 7.5 HIGH (CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N). The vulnerability allowed attackers on the local network to access other local servers through specially crafted HTTP requests that triggered unauthorized HTTP and WebSocket requests from the Miniflare server (NVD).

The vulnerability enables attackers on the local network to access other local servers by exploiting Miniflare's request handling mechanism. This could potentially lead to unauthorized access to sensitive information and services running on the local network (GitHub Advisory).

The vulnerability has been patched in Miniflare version 3.20231030.2. As a workaround, users can configure Miniflare to listen only on local interfaces using the host: "127.0.0.1" option. This is now the default behavior in newer versions (GitHub Advisory).