react-dev-utils on Windows vulnerable to Remote Code Execution

Description

react-dev-utils on Windows is vulnerable to remote code execution.

Recommendation

Update the react-dev-utils package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 5.0.0, < 5.0.2

  >= 4.0.0, < 4.2.2

  >= 3.0.0, < 3.1.2

  >= 2.0.0, < 2.0.2

  >= 1.0.0, < 1.0.4**

• Patched version(s): **5.0.2

  4.2.2

  3.1.2

  2.0.2

  1.0.4**

References

• GHSA-29gp-92wp-94q8
• www.npmjs.com
• CVE-2018-6342
• CWE-78
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin - CVE-2023-22621
• Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
• Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417
• react-dev-utils OS Command Injection in function `getProcessForPort` - CVE-2021-24033

Tags:

npm

react-dev-utils