CVE-2023-34238
Local File Inclusion vulnerability in gatsby (npm)
What is CVE-2023-34238 About?
This vulnerability is a Local File Inclusion (LFI) in the Gatsby framework's develop server, specifically affecting `__file-code-frame` and `__original-stack-frame` paths. It allows attackers to read arbitrary files from the server's file system, significantly impacting data confidentiality. While by default `gatsby develop` is local-only, intentional exposure makes this vulnerability easy to exploit by sending simple HTTP requests.
Affected Software
- gatsby
- >5.0.0, <5.9.1
- <4.25.7
Technical Details
The Local File Inclusion vulnerability in Gatsby (prior to versions 4.25.7 and 5.9.1) arises in the development server when accessing the __file-code-frame and __original-stack-frame paths. These paths are intended for debugging purposes, but they improperly sanitize or validate user-supplied input. An attacker can manipulate the filePath parameter in the __file-code-frame endpoint (e.g., filePath=/etc/passwd) or the moduleId parameter in __original-stack-frame (e.g., moduleId=/etc/hosts) to traverse directory structures and read arbitrary files from the system where the gatsby develop server is running. This direct parameter manipulation allows for file content disclosure.
What is the Impact of CVE-2023-34238?
Successful exploitation may allow attackers to read arbitrary files from the server's file system, potentially leading to the disclosure of sensitive information such as configuration files, user data, or source code.
What is the Exploitability of CVE-2023-34238?
Exploiting this LFI vulnerability is straightforward once the gatsby develop server is accessible. The complexity is low, requiring basic knowledge of HTTP requests and local file paths. No authentication is required for exploitation; an unauthenticated user can directly send crafted requests. There are no special privilege requirements. By default, the gatsby develop server only listens on localhost (127.0.0.1), making it a local vulnerability. However, if the server is explicitly configured to listen on 0.0.0.0 or other interfaces (e.g., via --host 0.0.0.0 or GATSBY_HOST=0.0.0.0), it becomes remotely exploitable. The primary risk factor increasing exploitation likelihood is exposing the development server to untrusted networks or the internet.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-34238?
Available Upgrade Options
- gatsby
- <4.25.7 → Upgrade to 4.25.7
- gatsby
- >5.0.0, <5.9.1 → Upgrade to 5.9.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-c6f8-8r25-c4gc
- https://osv.dev/vulnerability/GHSA-c6f8-8r25-c4gc
- https://github.com/gatsbyjs/gatsby/commit/ae5a654eb346b2e7a9d341b809b2f82d34c0f17c
- https://github.com/gatsbyjs/gatsby/commit/fc22f4ba3ad7ca5fb3592f38f4f0ca8ae60b4bf7
- https://github.com/gatsbyjs/gatsby/commit/fc22f4ba3ad7ca5fb3592f38f4f0ca8ae60b4bf7
- https://github.com/gatsbyjs/gatsby
- https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-c6f8-8r25-c4gc
- https://github.com/gatsbyjs/gatsby/commit/ae5a654eb346b2e7a9d341b809b2f82d34c0f17c
- https://nvd.nist.gov/vuln/detail/CVE-2023-34238
What are Similar Vulnerabilities to CVE-2023-34238?
Similar Vulnerabilities: CVE-2020-15228 , CVE-2021-32646 , CVE-2021-39180 , CVE-2022-21696 , CVE-2022-31130
