react-dev-utils on Windows is vulnerable to remote code execution.
Update to one of the following versions, depending on the release line that you are using.
- 1.0.4
- 2.0.2
- 3.1.2
- 4.2.2
- 5.0.2
- 6.0.0-next.a671462c
| Score | Percentile |
|---|---|
| 0.79% | 73.50% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-29gp-92wp-94q8 ↗ |
| CVE | CVE-2018-6342 ↗ |
| CWE id | Name |
|---|---|
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | react-dev-utils | >= 1.0.0, < 1.0.4 | 1.0.4 | — |
| npm | react-dev-utils | >= 2.0.0, < 2.0.2 | 2.0.2 | — |
| npm | react-dev-utils | >= 3.0.0, < 3.1.2 | 3.1.2 | — |
| npm | react-dev-utils | >= 4.0.0, < 4.2.2 | 4.2.2 | — |
| npm | react-dev-utils | >= 5.0.0, < 5.0.2 | 5.0.2 | — |