icon

We found results for “

CVE-2023-34238

Good to know:

icon

Date: June 7, 2023

Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the "__file-code-frame" and "__original-stack-frame" paths, exposed when running the Gatsby develop server ("gatsby develop"). Any file in scope of the development server could potentially be exposed. It should be noted that by default "gatsby develop" is only accessible via the localhost "127.0.0.1", and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as "--host 0.0.0.0", "-H 0.0.0.0", or the "GATSBY_HOST=0.0.0.0" environment variable. A patch has been introduced in "gatsby@5.9.1" and "gatsby@4.25.7" which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet.

Language: JS

Severity Score

Severity Score

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Insufficient Information

NVD-CWE-noinfo

Top Fix

icon

Upgrade Version

Upgrade to version gatsby - 4.25.7;gatsby - 5.9.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us