CVE-2023-7080: 
JavaScript vulnerability analysis and mitigation

CVE-2023-7080 affects wrangler versions 2.0.0 through 2.20.2 and 3.0.0 through 3.19.0. The vulnerability relates to the V8 inspector functionality in wrangler dev, which allows arbitrary code execution within the Workers sandbox for debugging purposes. The issue was discovered and disclosed on December 29, 2023 (GHSA Advisory).

The vulnerability stems from wrangler dev starting an inspector server that listens on all network interfaces. Additionally, the inspector server did not validate Origin/Host headers properly. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 HIGH with vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H by NIST NVD, and a score of 8.5 HIGH with vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N by Cloudflare (NVD).

An attacker on the local network could connect to the inspector and execute arbitrary code within the Workers sandbox. If a user on the local network was tricked into opening a malicious website, the attacker could also execute code through the lack of header validation. When using wrangler dev --remote, an attacker could potentially access production resources if they were bound to the worker (GHSA Advisory).

The vulnerability has been patched in wrangler versions 3.19.0 and 2.20.2. While wrangler dev's inspector server began listening on local interfaces by default as of version 3.16.0, an SSRF vulnerability in miniflare allowed access from the local network until version 3.18.0. For users unable to upgrade immediately, a workaround is to configure Wrangler to listen on local interfaces only using the command wrangler dev --ip 127.0.0.1, though this only prevents the local network attack vector and not attacks from malicious websites (GHSA Advisory).