← Back

CVE-2018-6342

nvd nist
Published: Dec 31, 2018Modified: May 6, 2025

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

Affected (5)

Facebook
1 product
React Dev Utils
Configuration A
5 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Facebook
React Dev Utils
From 1.0.0 to 1.0.4
React Dev Utils
From 2.0.0 to 2.0.2
React Dev Utils
From 3.0.0 to 3.1.2
React Dev Utils
From 4.0.0 to 4.2.2
React Dev Utils
From 5.0.0 to 5.0.2
Running on/withPlatform Versions
Microsoft
Windows
All versions

Related CWEs

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

Source: cve-assign@fb.com
Third Party Advisory
Source: cve-assign@fb.com
Release NotesThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release NotesThird Party Advisory

Timeline

No history available yet.