GHSA-fwvp-x5gj-773j

Source

https://github.com/advisories/GHSA-fwvp-x5gj-773j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-fwvp-x5gj-773j/GHSA-fwvp-x5gj-773j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fwvp-x5gj-773j

Published

2020-09-01T20:33:10Z

Modified

2023-07-27T20:35:13Z

Summary

Malicious Package in react-server-native

Details

Version 0.0.7 of react-server-native contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl=

Recommendation

If version 0.0.7 of this module is found installed you will want to replace it with a version before or after 0.0.7. In addition to replacing the installed module, you will also want to evaluate your application to determine whether or not user data was compromised.

Users may consider downgrading to version 0.0.6

Database specific

{
    "github_reviewed_at": "2020-08-31T18:30:44Z",
    "cwe_ids": [],
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "github_reviewed": true
}

References

https://www.npmjs.com/advisories/635

Affected packages

npm / react-server-native

Package

Name: react-server-native; View open source insights on deps.dev
Purl: pkg:npm/react-server-native

Affected ranges

Affected versions

0.*

0.0.7