Описание
react-dev-utils on Windows vulnerable to Remote Code Execution
react-dev-utils on Windows is vulnerable to remote code execution.
Recommendation
Update to one of the following versions, depending on the release line that you are using.
- 1.0.4
- 2.0.2
- 3.1.2
- 4.2.2
- 5.0.2
- 6.0.0-next.a671462c
Пакеты
react-dev-utils
>= 1.0.0, < 1.0.4
1.0.4
react-dev-utils
>= 2.0.0, < 2.0.2
2.0.2
react-dev-utils
>= 3.0.0, < 3.1.2
3.1.2
react-dev-utils
>= 4.0.0, < 4.2.2
4.2.2
react-dev-utils
>= 5.0.0, < 5.0.2
5.0.2
Связанные уязвимости
react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.