GHSA-5q6m-3h65-w53x
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5q6m-3h65-w53x
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-5q6m-3h65-w53x/GHSA-5q6m-3h65-w53x.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5q6m-3h65-w53x
- Aliases
-
- CVE-2021-24033
- Published
- 2021-03-11T22:26:09Z
- Modified
- 2023-11-08T04:05:14.230118Z
- Severity
-
- 5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- react-dev-utils OS Command Injection in function `getProcessForPort`
- Details
-
react-dev-utils prior to v11.0.4 exposes a function,
getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you. - Database specific
{ "nvd_published_at": "2021-03-09T01:15:00Z", "cwe_ids": [ "CWE-78" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-03-11T22:18:08Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-24033
- https://github.com/facebook/create-react-app/pull/10644
- https://github.com/facebook/create-react-app/commit/f5e415f3a5b66f07dcc60aba1b445fa7cda97268
- https://github.com/facebook/create-react-app
- https://www.facebook.com/security/advisories/cve-2021-24033
- https://www.huntr.dev/bounties/1-npm-react-dev-utils
Affected packages
npm / react-dev-utils
Package
- Name
- react-dev-utils
- View open source insights on deps.dev
- Purl
- pkg:npm/react-dev-utils