react-dev-utils on Windows vulnerable to Remote Code Execution

Description

react-dev-utils on Windows is vulnerable to remote code execution.

Recommendation

Update the react-dev-utils package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 5.0.0, < 5.0.2

  >= 4.0.0, < 4.2.2

  >= 3.0.0, < 3.1.2

  >= 2.0.0, < 2.0.2

  >= 1.0.0, < 1.0.4**

• Patched version(s): **5.0.2

  4.2.2

  3.1.2

  2.0.2

  1.0.4**

References

• GHSA-29gp-92wp-94q8
• www.npmjs.com
• CVE-2018-6342
• CWE-78
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• angular-base64-upload vulnerable to unauthenticated remote code execution - CVE-2024-42640
• Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin (GHSA-2h87-4q2w-v4hf) - CVE-2023-22621
• Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
• React Editable Json Tree vulnerable to arbitrary code execution via function parsing - CVE-2022-36010

Tags:

npm

react-dev-utils