CVE-2023-7080: The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspec...

Description

The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker. This issue was fixed in wrangler@3.19.0 and wrangler@2.20.2. Whilst wrangler dev's inspector server listens on local interfaces by default as of wrangler@3.16.0, an SSRF vulnerability in miniflare https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7 (CVE-2023-7078) allowed access from the local network until wrangler@3.18.0. wrangler@3.19.0 and wrangler@2.20.2 introduced validation for the Origin/Host headers.

Metrics

CVSS 3.1

8/10

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

0.58%

43.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-269

Affected Software

Vendor	Product	Versions
Cloudflare	Wrangler	>= 2.0.0, < 2.20.2
Cloudflare	Wrangler	>= 3.0.0, < 3.19.0

References

https://github.com/cloudflare/workers-sdk/issues/4430Issue Tracking, Patch
https://github.com/cloudflare/workers-sdk/pull/4437Patch
https://github.com/cloudflare/workers-sdk/pull/4535Patch
https://github.com/cloudflare/workers-sdk/pull/4550Patch
https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-f8mp-x433-5wpfMitigation, Patch, Third Party Advisory
https://github.com/cloudflare/workers-sdk/issues/4430Issue Tracking, Patch
https://github.com/cloudflare/workers-sdk/pull/4437Patch
https://github.com/cloudflare/workers-sdk/pull/4535Patch
https://github.com/cloudflare/workers-sdk/pull/4550Patch
https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-f8mp-x433-5wpfMitigation, Patch, Third Party Advisory

Timeline

Published: Dec 29, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-7080?

The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker. This issue was fixed in wrangler@3.19.0 and wrangler@2.20.2. Whilst wrangler dev's inspector server listens on local interfaces by default as of wrangler@3.16.0, an SSRF vulnerability in miniflare https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7 (CVE-2023-7078) allowed access from the local network until wrangler@3.18.0. wrangler@3.19.0 and wrangler@2.20.2 introduced validation for the Origin/Host headers.

How severe is CVE-2023-7080?

CVE-2023-7080 has a CVSS score of 8/10 (HIGH severity). The EPSS model estimates a 0.58% probability of exploitation in the next 30 days.

How do I fix CVE-2023-7080?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.