CVE-2018-6342

Summary

CVE	CVE-2018-6342
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-12-31 22:29:00 UTC
Updated	2021-03-25 16:44:00 UTC
Description	react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

Risk And Classification

Problem Types: CWE-78

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Create-react-app Project	React-dev-utils	All	All	All	All
Application	Create-react-app Project	React-dev-utils	All	All	All	All
Application	Facebook	React-dev-utils	All	All	All	All
Operating System	Microsoft	Windows	-	All	All	All
Operating System	Microsoft	Windows	-	All	All	All

References

Reference	Source	Link	Tags
Release v1.1.5 · facebook/create-react-app · GitHub	MISC	github.com	Release Notes, Third Party Advisory
Use file name whitelist to prevent RCE by acdlite · Pull Request #4866 · facebook/create-react-app · GitHub	MISC	github.com	Patch, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

983136 Nodejs (npm) Security Update for react-dev-utils (GHSA-29gp-92wp-94q8)