CVE-2023-34238
Local File Inclusion vulnerability in GatsbyGatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the `__file-code-frame` and `__original-stack-frame` paths, exposed when running the Gatsby develop server (`gatsby develop`). Any file in scope of the development server could potentially be exposed. It should be noted that by default `gatsby develop` is only accessible via the localhost `127.0.0.1`, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as `--host 0.0.0.0`, `-H 0.0.0.0`, or the `GATSBY_HOST=0.0.0.0` environment variable. A patch has been introduced in `[email protected]` and `[email protected]` which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet.
We have discovered 27,956 live websites that are affected by CVE-2023-34238.
Affected Software
| Product |  Gatsby |
| Category | Static Site Generator |
| Vulnerable Domains | 27,956 live websites (68.26% of Gatsby install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 771 versions ( 96.38% of all versions) |
Common Weakness Enumeration
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Details
- Published - Jun 7, 2023
- Updated - Jan 6, 2025
CWE
CVE References
CWE References
CVE-2023-34238 usage by Country
 United States | 23,505 websites |
 Germany | 889 websites |
 France | 731 websites |
 Poland | 268 websites |
 GB | 215 websites |
 Netherlands | 183 websites |
 Russia | 140 websites |
 Japan | 124 websites |
 Singapore | 124 websites |
 Switzerland | 120 websites |
CVE-2023-34238 usage by TLD
| .com | 12,732 websites |
| .org | 1,128 websites |
| .de | 819 websites |
| .co.uk | 800 websites |
| .io | 798 websites |
| .fr | 746 websites |
| .net | 637 websites |
| .se | 563 websites |
| .com.au | 453 websites |
| .pl | 432 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2023-34238
Top websites that are affected by CVE-2023-34238. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.me | Japan | *** | |
| ******.ee | United States | *,*** | |
| *********.******.com | United States | *,*** | |
| ***************.com | United States | *,*** | |
| *******.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| ***********.org | United States | *,*** | |
| *********.**********.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| ********.com | United States | *,*** |
FAQ
CVE-2023-34238 is Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Gatsby
A total of 27,956 websites have been identified as vulnerable to CVE-2023-34238, discovered through global website indexing conducted by WebTechSurvey.
Gatsby is susceptible to CVE-2023-34238 vulnerability.
Gatsby versions before 5.9.1 are vulnerable to CVE-2023-34238.
Version 5.9.1 of Gatsby addresses the CVE-2023-34238 security vulnerability.