CVE-2024-29180 Overview
CVE-2024-29180 is a path traversal vulnerability in webpack-dev-middleware, the development middleware for webpack. The vulnerability exists because the middleware does not validate the supplied URL address sufficiently before returning local files. By using URL-encoded path sequences (%2e and %2f), an attacker can bypass path restrictions and access any file on the developer's machine.
The middleware can operate with either the physical filesystem or a virtualized in-memory memfs filesystem. When the writeToDisk configuration option is set to true, the physical filesystem is used, making exploitation particularly impactful. The vulnerable getFilenameFromUrl method parses URLs and builds local file paths by stripping the public path prefix and appending the unescaped path suffix to the outputPath. Since the URL is not properly unescaped and normalized before processing, path traversal attacks become possible.
Critical Impact
Attackers can access and exfiltrate any file from a developer's machine, including source code, credentials, SSH keys, and other sensitive data. If the development server listens on a public IP or allows third-party domain access, remote exploitation without victim interaction is possible.
Affected Products
- webpack-dev-middleware versions prior to 7.1.0
- webpack-dev-middleware versions prior to 6.1.2
- webpack-dev-middleware versions prior to 5.3.4
Discovery Timeline
- 2024-03-21 - CVE CVE-2024-29180 published to NVD
- 2025-12-15 - Last updated in NVD database
Technical Details for CVE-2024-29180
Vulnerability Analysis
This path traversal vulnerability (CWE-22) allows unauthorized file access through improper URL validation. The core issue lies in the getFilenameFromUrl method which processes user-supplied URLs without proper sanitization. When a request comes in, the middleware strips the public path prefix from the URL and appends the remaining path to the output directory. However, because URL-encoded characters are not decoded before path construction, an attacker can use %2e (representing .) and %2f (representing /) sequences to construct directory traversal payloads that escape the intended directory boundaries.
The vulnerability affects developers using webpack-dev-server or webpack-dev-middleware during development. The attack surface varies based on the server's network exposure: if listening on localhost only, an attacker would need to leverage cross-site scripting or other client-side attacks; if listening on 0.0.0.0 or a public IP, direct network access enables exploitation without any user interaction.
Root Cause
The root cause is insufficient input validation in the URL processing logic. The getFilenameFromUrl method in src/utils/getFilenameFromUrl.js does not properly unescape and normalize URL paths before using them to construct file system paths. This allows encoded path traversal sequences to bypass validation checks that would otherwise prevent access to files outside the designated output directory.
Attack Vector
The attack is network-based and requires no authentication or user privileges. An attacker can craft a malicious HTTP request containing URL-encoded path traversal sequences (such as ..%2f..%2f..%2f) to navigate outside the intended web root and access arbitrary files on the system. The attack complexity is low, requiring only the ability to send HTTP requests to the development server.
When the development server is bound to a public interface or 0.0.0.0, attackers on the same network can directly exploit the vulnerability. Alternatively, if the server allows cross-origin requests, an attacker can host a malicious webpage that makes requests to the victim's local development server when visited.
The vulnerability mechanism involves URL-encoded path traversal sequences bypassing path validation. When a request URL contains sequences like %2e%2e%2f (which decodes to ../), the middleware fails to normalize these before path construction, allowing directory traversal. For detailed technical information about the vulnerable code paths, refer to the GitHub File Utility Script and the GitHub Security Advisory.
Detection Methods for CVE-2024-29180
Indicators of Compromise
- HTTP requests to the development server containing URL-encoded path traversal sequences such as %2e%2e%2f or %2e%2e/
- Access logs showing requests for sensitive system files like /etc/passwd, .ssh/id_rsa, or .env files
- Unusual outbound data transfers from development environments
- Requests targeting common sensitive files with traversal patterns in the URL path
Detection Strategies
- Monitor development server access logs for URL patterns containing %2e, %2f, or decoded .. sequences
- Implement network monitoring to detect connections to development server ports from unexpected sources
- Deploy web application firewall rules to block requests containing path traversal patterns
- Use SentinelOne's behavioral AI to detect anomalous file access patterns on developer workstations
Monitoring Recommendations
- Enable verbose logging on webpack-dev-server to capture all incoming requests with full URL paths
- Configure network monitoring to alert on connections to common development ports (8080, 3000, etc.) from external IPs
- Monitor file system access on developer machines for reads of sensitive configuration files
- Review audit logs for access to files outside the project directory during development sessions
How to Mitigate CVE-2024-29180
Immediate Actions Required
- Update webpack-dev-middleware to version 7.1.0, 6.1.2, or 5.3.4 depending on your major version branch
- Ensure development servers are not bound to 0.0.0.0 or public IP addresses
- Configure firewalls to block external access to development server ports
- Review access logs for signs of exploitation attempts before applying the patch
Patch Information
The vulnerability has been fixed in webpack-dev-middleware versions 7.1.0, 6.1.2, and 5.3.4. The fix ensures that URLs are properly unescaped and normalized before any further processing, preventing path traversal attacks. Security patches are available through the following commits:
Fixed versions are available at:
Workarounds
- Bind the development server to localhost (127.0.0.1) only instead of 0.0.0.0 or public interfaces
- Use a reverse proxy with proper path validation in front of the development server
- Disable CORS or restrict allowed origins to prevent cross-origin exploitation
- Implement network segmentation to isolate development environments from untrusted networks
# Configuration example - Bind webpack-dev-server to localhost only
# In webpack.config.js, ensure devServer configuration restricts the host:
# devServer: {
# host: '127.0.0.1',
# allowedHosts: ['localhost'],
# port: 8080
# }
# Or when starting from command line:
npx webpack serve --host 127.0.0.1 --allowed-hosts localhost
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
