Description
Affected versions of react are vulnerable to Cross-Site Scripting (XSS). The package fails to properly sanitize input used to create keys. This may allow attackers to execute arbitrary JavaScript if a key is generated from user input.
Recommendation
Update the react package to the latest compatible version. Followings are version details:
Affected version(s): **>= 0.5.0, < 0.5.2 >= 0.4.0, < 0.4.2** Patched version(s): **0.5.2 0.4.2**
References
Related Issues
- DOMPurify contains a Cross-site Scripting vulnerability (GHSA-v8jm-5vwx-cfxm) - CVE-2025-15599
- bootstrap Cross-site Scripting vulnerability (GHSA-ph58-4vrj-w6hr) 2 - CVE-2018-20677
- Bootstrap Cross-site Scripting vulnerability (GHSA-7mvr-5x2g-wfc8) 2 - CVE-2018-14042
- bootstrap Cross-site Scripting vulnerability (GHSA-ph58-4vrj-w6hr) - CVE-2018-20677
- Tags:
- npm
- react
Anything's wrong? Let us know Last updated on May 22, 2023