Skip to content

plugin-cloudflare-0.31.0.tgz: 2 vulnerabilities (highest severity is: 9.9) #205

New issue
New issue
Open
Open
plugin-cloudflare-0.31.0.tgz: 2 vulnerabilities (highest severity is: 9.9)#205
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Jan 15, 2026
Vulnerable Library - plugin-cloudflare-0.31.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (plugin-cloudflare version) Remediation Possible**
CVE-2026-0933 Critical 9.9 wrangler-4.33.0.tgz Transitive 0.32.0
CVE-2026-22036 Medium 5.9 undici-7.16.0.tgz Transitive 0.32.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-0933

Vulnerable Library - wrangler-4.33.0.tgz

Command-line interface for all things Cloudflare Workers

Library home page: https://registry.npmjs.org/wrangler/-/wrangler-4.33.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • plugin-cloudflare-0.31.0.tgz (Root Library)
    • vite-plugin-1.12.3.tgz
      • wrangler-4.33.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

SummaryA command injection vulnerability (CWE-78) has been found to exist in the "wrangler pages deploy" command. The issue occurs because the "--commit-hash" parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of "--commit-hash" to execute arbitrary commands on the system running Wrangler.
Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g.,  execSync("git show -s --format=%B ${commitHash}")). Shell metacharacters are interpreted by the shell, enabling command execution.
ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where "wrangler pages deploy" is used in automated pipelines and the
--commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:

  • Run any shell command.
  • Exfiltrate environment variables.
  • Compromise the CI runner to install backdoors or modify build artifacts.
    Credits Disclosed responsibly by kny4hacker.
    Mitigation
  • Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.
  • Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.
  • Users on Wrangler v2 (EOL) should upgrade to a supported major version.

Publish Date: 2026-01-20

URL: CVE-2026-0933

CVSS 3 Score Details (9.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-01-20

Fix Resolution (wrangler): 4.59.1

Direct dependency fix Resolution (@storm-stack/plugin-cloudflare): 0.32.0

Step up your Open Source Security Game with Mend here

CVE-2026-22036

Vulnerable Library - undici-7.16.0.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-7.16.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • plugin-cloudflare-0.31.0.tgz (Root Library)
    • vite-plugin-1.12.3.tgz
      • miniflare-4.20250902.0.tgz
        • undici-7.16.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.

Publish Date: 2026-01-14

URL: CVE-2026-22036

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GHSA-g9mf-h72j-4rw9

Release Date: 2026-01-14

Fix Resolution (undici): 7.18.2

Direct dependency fix Resolution (@storm-stack/plugin-cloudflare): 0.32.0

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions