Local File Inclusion vulnerability in Gatsby framework prior to versions 4.25.7 and 5.9.1

Local File Inclusion vulnerability in Gatsby framework prior to versions 4.25.7 and 5.9.1

CVE-2023-34238 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the `__file-code-frame` and `__original-stack-frame` paths, exposed when running the Gatsby develop server (`gatsby develop`). Any file in scope of the development server could potentially be exposed. It should be noted that by default `gatsby develop` is only accessible via the localhost `127.0.0.1`, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as `--host 0.0.0.0`, `-H 0.0.0.0`, or the `GATSBY_HOST=0.0.0.0` environment variable. A patch has been introduced in `gatsby@5.9.1` and `gatsby@4.25.7` which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet.

Learn more about our Cis Benchmark Audit For Server Software.