CVE-2018-6341
Cross-Site Scripting (XSS) vulnerability in react-dom (npm)
What is CVE-2018-6341 About?
This vulnerability is a Cross-Site Scripting (XSS) flaw in `react-dom` that arises from improper validation of attribute names. Successful exploitation allows attackers to execute arbitrary JavaScript in the victim's browser, potentially leading to data theft or defacement. Exploitation requires specific application configurations involving server-side rendering and user input in HTML tag attributes.
Affected Software
- react-dom
- >16.0.0, <16.0.1
- >16.4.0, <16.4.2
- >16.1.0, <16.1.2
- >16.3.0, <16.3.3
- >16.2.0, <16.2.1
Technical Details
The vulnerability occurs in affected versions of react-dom due to a failure to properly validate attribute names in HTML tags. Specifically, if a server-side React application uses ReactDOMServer to render HTML and incorporates user-supplied input directly into an HTML tag's attribute name, this input is not sufficiently sanitized. An attacker can inject malicious script as part of the attribute name, which is then rendered by the browser. When the page is viewed, the injected script executes in the context of the user's browser, leading to XSS.
What is the Impact of CVE-2018-6341?
Successful exploitation may allow attackers to execute arbitrary scripts in the user's browser, leading to session hijacking, defacement of the website, sensitive data exposure, or redirection to malicious sites.
What is the Exploitability of CVE-2018-6341?
Exploitation of this XSS vulnerability is moderately complex, requiring specific conditions to be met in the target application. Prerequisites include the application being a server-side React app, rendered to HTML using ReactDOMServer, and crucially, incorporating attribute names directly from user input into an HTML tag. No specific authentication is required at the point of injection if the user input is directly rendered into an attribute name. Privilege requirements are low, as an unauthenticated attacker can potentially provide the malicious input. This is typically a remote attack vector. The primary special conditions are the application's renderer and input handling methods. The likelihood of exploitation increases if the application extensively uses user-supplied data in rendered component attributes without proper sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| diwangs | Link | CVE-2018-6341 |
What are the Available Fixes for CVE-2018-6341?
Available Upgrade Options
- react-dom
- >16.0.0, <16.0.1 → Upgrade to 16.0.1
- react-dom
- >16.1.0, <16.1.2 → Upgrade to 16.1.2
- react-dom
- >16.2.0, <16.2.1 → Upgrade to 16.2.1
- react-dom
- >16.3.0, <16.3.3 → Upgrade to 16.3.3
- react-dom
- >16.4.0, <16.4.2 → Upgrade to 16.4.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.npmjs.com/advisories/1421
- https://twitter.com/reactjs/status/1024745321987887104
- https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html
- https://twitter.com/reactjs/status/1024745321987887104
- https://osv.dev/vulnerability/GHSA-mvjj-gqq2-p4hw
- https://nvd.nist.gov/vuln/detail/CVE-2018-6341
- https://github.com/advisories/GHSA-mvjj-gqq2-p4hw
- https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html
- https://snyk.io/vuln/npm:react-dom:20180802
What are Similar Vulnerabilities to CVE-2018-6341?
Similar Vulnerabilities: CVE-2017-1000007 , CVE-2021-39144 , CVE-2022-24706 , CVE-2023-45133 , CVE-2024-21390
