CVE-2023-7079: 
JavaScript vulnerability analysis and mitigation

CVE-2023-7079 affects Wrangler's dev server, discovered and disclosed on December 29, 2023. The vulnerability impacts versions from 3.9.0 to versions before 3.19.0 of the Wrangler package. This security issue allows attackers to access any file on a user's computer through specially crafted HTTP requests and inspector messages to Wrangler's dev server when the server is accessible over the local network (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 5.7 MEDIUM (CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) according to NVD, while Cloudflare rates it at 6.4 MEDIUM (CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N). The vulnerability is categorized under CWE-287 (Improper Authentication). The issue stems from insufficient validation of HTTP requests and inspector messages, allowing unauthorized access to files outside the intended directory scope (NVD).

The vulnerability enables attackers on the local network to access any file on the user's computer. Additionally, if an attacker can trick a user on the local network into opening a malicious website, they can leverage this vulnerability to read any file on the victim's system (GitHub Advisory).

The vulnerability has been patched in Wrangler version 3.19.0, which now only serves files that are part of the bundle or referenced by the bundle's source maps. As a workaround for affected versions, users can configure Wrangler to listen only on local interfaces using the command 'wrangler dev --ip 127.0.0.1'. This is the default behavior as of version 3.16.0 and removes the local network as an attack vector, though it doesn't prevent attacks from malicious websites (GitHub Advisory).