Command Injection Vulnerability in React Development Utilities by Facebook
CVE-2021-24033

5.6MEDIUM

Key Information:

Vendor: Facebook
Status: React-dev-utils
Vendor: CVE Published:; 9 March 2021

What is CVE-2021-24033?

The react-dev-utils package prior to version 11.0.4 contains a vulnerability where the function getProcessForPort allows user-provided input to be concatenated into a command string that gets executed. This risk is primarily present when developers manually invoke this function with unsanitized input in their custom code. However, usage within the context of react-scripts, a standard part of Create React App projects, does not exploit this vulnerability.

Affected Version(s)

react-dev-utils < 11.0.4

react-dev-utils 11.0.4 < 11.0.4

References

https://github.com/facebook/create-react-app/pull/10644

x_refsource_MISC

https://www.facebook.com/security/advisories/cve-2021-24033

x_refsource_CONFIRM

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 9, 2021
Vulnerability Reserved
Jan 13, 2021