CVE-2024-29180

Summary

CVE-2024-29180 is a vulnerability affecting versions prior to 7.1.0, 6.1.2, and 5.3.4 of webpack-dev-middleware in devpack. This middleware fails to validate user-supplied URLs adequately, allowing attackers to access any file on the developer's machine. The vulnerability can be exploited through path traversal attacks using `%2e` and `%2f` sequences, potentially leading to exfiltration of sensitive information. Developers using webpack-dev-server or webpack-dev-middleare are at risk. Attackers can access local files via direct connection to the server or through malicious links that trigger client-side scripts to exfiltrate data from the local server. With fixed versions 7.1.0, 6.1.2, and 5.3.4, the URL is now properly unescaped and normalized before processing.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.