Vulnerability Description
react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| React-Dev-Utils | >= 1.0.0, < 1.0.4 | |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://github.com/facebook/create-react-app/pull/4866Third Party Advisory
- https://github.com/facebook/create-react-app/releases/tag/v1.1.5Release NotesThird Party Advisory
- https://github.com/facebook/create-react-app/pull/4866Third Party Advisory
- https://github.com/facebook/create-react-app/releases/tag/v1.1.5Release NotesThird Party Advisory
FAQ
What is CVE-2018-6342?
CVE-2018-6342 is a vulnerability with a CVSS score of 9.8 (CRITICAL). react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, all...
How severe is CVE-2018-6342?
CVE-2018-6342 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-6342?
Check the references section above for vendor advisories and patch information. Affected products include: Facebook React-Dev-Utils, Microsoft Windows.