CyberSec.Space Logo
Back to CVE Browser

CVE-2018-6342

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1100%
EPSS Percentile33.44th
PublishedDec 31, 2018
Last ModifiedMay 6, 2025

Vulnerability Description

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

Affected Platforms (CPE)

πŸ“¦
Facebook

React Dev Utils

>= 1.0.0 and < 1.0.4
πŸ“¦
Facebook

React Dev Utils

>= 2.0.0 and < 2.0.2
πŸ“¦
Facebook

React Dev Utils

>= 3.0.0 and < 3.1.2
πŸ“¦
Facebook

React Dev Utils

>= 4.0.0 and < 4.2.2
πŸ“¦
Facebook

React Dev Utils

>= 5.0.0 and < 5.0.2

References & Advisories

πŸ”— https://github.com/facebook/create-react-app/pull/4866
πŸ”— https://github.com/facebook/create-react-app/releases/tag/v1.1.5
πŸ”— https://github.com/facebook/create-react-app/pull/4866
πŸ”— https://github.com/facebook/create-react-app/releases/tag/v1.1.5

Related Vulnerabilities

CVE-2021-240335.6

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command str...

CVE-2018-261110.0

Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: Core Service...

CVE-2018-010110.0

A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could ...

CVE-2018-1472110.0

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by ...