Cross-Site Scripting in react

Description

Versions of react prior to 0.14.0 are vulnerable to Cross-Site Scripting (XSS). The package’s createElement function fails to properly validate its input object, allowing attackers to execute arbitrary JavaScript in a victim’s browser.

Recommendation

Update the react package to the latest compatible version. Followings are version details:

• Affected version(s): >= 0.0.1, < 0.14.0
• Patched version(s): 0.14.0

References

• GHSA-hg79-j56m-fxgv
• snyk.io
• www.npmjs.com
• danlec.com
• reactjs.org
• CWE-79
• OWASP 2021-A3

Related Issues

• Cross-Site Scripting in react-svg - Vulnerability
• Bootstrap Cross-Site Scripting (XSS) vulnerability - CVE-2024-6531
• CKEditor 5 cross-site scripting (XSS) vulnerability in the clipboard package - CVE-2025-58064
• Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes - CVE-2024-6485

Tags:

npm

react