Description
Affected versions of react are vulnerable to Cross-Site Scripting (XSS). The package fails to properly sanitize input used to create keys. This may allow attackers to execute arbitrary JavaScript if a key is generated from user input.
Recommendation
Update the react package to the latest compatible version. Followings are version details:
Affected version(s): **>= 0.5.0, < 0.5.2 >= 0.4.0, < 0.4.2** Patched version(s): **0.5.2 0.4.2**
References
Related Issues
- Atro CSRF Middleware Bypass (security.checkOrigin) - CVE-2024-56140
- SillyTavern Web Interface Vulnerable DNS Rebinding - CVE-2025-59159
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) - CVE-2020-8203
- Better Call routing bug can lead to Cache Deception - Vulnerability
- Tags:
- npm
- react
Anything's wrong? Let us know Last updated on May 22, 2023