react-dev-utils OS Command Injection in function `getProcessForPort`
- Severity:
- Medium
Description
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe.
Recommendation
Update the react-dev-utils package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.4.0, < 11.0.4
- Patched version(s): 11.0.4
References
- GHSA-5q6m-3h65-w53x
- www.facebook.com
- www.huntr.dev
- CVE-2021-24033
- CWE-78
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Vite has an `server.fs.deny` bypass with an invalid `request-target` - CVE-2025-32395
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- Marp Core allows XSS by improper neutralization of HTML sanitization - CVE-2024-56510
- bootstrap Cross-site Scripting vulnerability (GHSA-ph58-4vrj-w6hr) 2 - CVE-2018-20677
- Tags:
- npm
- react-dev-utils
Anything's wrong? Let us know Last updated on January 27, 2023