CVE-2024-29180 – webpack-dev-middleware Path Traversal vulnerability

https://notcve.org/view.php?id=CVE-2024-29180

21 Mar 2024 — Prior to versions 7.1.0, 6.1.2, and 5.3.4, the webpack-dev-middleware development middleware for devpack does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine. The middleware can either work with the physical filesystem when reading the files or it can use a virtualized in-memory `memfs` filesystem. If `writeToDisk` configuration option is set to `true`, the physical filesystem is used. The `getFilenameFromUrl` m... • https://github.com/webpack/webpack-dev-middleware/blob/7ed24e0b9f53ad1562343f9f517f0f0ad2a70377/src/utils/getFilenameFromUrl.js#L82 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •