Update dependency wrangler to v3.51.0 [SECURITY] - abandoned

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
wrangler (source)	3.50.0 -> 3.51.0

GitHub Vulnerability Alerts

CVE-2023-3348

Impact

The Wrangler command line tool (<[email protected] or <[email protected]) was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim's files present outside of the directory for the development server.

Patches

Wrangler2: Upgrade to v2.20.1 or higher.
Wrangler3: Upgrade to v3.1.1 or higher.

References

Workers SDK on Github
Wrangler docs
CVE-2023-3348

CVE-2023-7080

Impact

The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker.

Patches

This issue was fixed in [email protected] and [email protected]. Whilst wrangler dev's inspector server listens on local interfaces by default as of [email protected], an SSRF vulnerability in miniflare allowed access from the local network until [email protected]. [email protected] and [email protected] introduced validation for the Origin/Host headers.

Workarounds

Unfortunately, Wrangler doesn't provide any configuration for which host that inspector server should listen on. Please upgrade to at least [email protected], and configure Wrangler to listen on local interfaces instead with wrangler dev --ip 127.0.0.1 to prevent SSRF. This removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website.

References

• https://github.com/cloudflare/workers-sdk/issues/4430
• https://github.com/cloudflare/workers-sdk/pull/4437
• https://github.com/cloudflare/workers-sdk/pull/4535
• https://github.com/cloudflare/workers-sdk/pull/4550

---

Release Notes

cloudflare/workers-sdk (wrangler)

v3.51.0

Compare Source

Minor Changes

• #​5477 9a46e03 Thanks @​pmiguel! - feature: Changed Queues client to use the new QueueId and ConsumerId-based endpoints.

• #​5172 fbe1c9c Thanks @​GregBrimble! - feat: Allow marking external modules (with --external) to avoid bundling them when building Pages Functions

  It's useful for Pages Plugins which want to declare a peer dependency.

Patch Changes

• #​5585 22f5841 Thanks @​geelen! - Updates wrangler d1 export to handle larger DBs more efficiently

• Updated dependencies [c9f081a, c9f081a]:

  • [email protected]

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.