react-dev-utils on Windows vulnerable to Remote Code Execution

説明

react-dev-utils on Windows is vulnerable to remote code execution.

Recommendation

Update to one of the following versions, depending on the release line that you are using.
- 1.0.4
- 2.0.2
- 3.1.2
- 4.2.2
- 5.0.2
- 6.0.0-next.a671462c

基本情報

タイプ
reviewed
深刻度
high
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2019-01-04 17:41:20 UTC
更新
2023-01-27 05:02:43 UTC
GitHub レビュー済み
2020-06-16 20:51:46 UTC
NVD で公開
2018-12-31

EPSS Score

Score Percentile
0.79% 73.50%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Affected packages (5)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm react-dev-utils >= 1.0.0, < 1.0.4 1.0.4
npm react-dev-utils >= 2.0.0, < 2.0.2 2.0.2
npm react-dev-utils >= 3.0.0, < 3.1.2 3.1.2
npm react-dev-utils >= 4.0.0, < 4.2.2 4.2.2
npm react-dev-utils >= 5.0.0, < 5.0.2 5.0.2

References

cvelogic Threat Intelligence