CVE-2018-6342
Remote Code Execution vulnerability in react-dev-utils (npm)
What is CVE-2018-6342 About?
The `react-dev-utils` package on Windows is vulnerable to remote code execution. An attacker can exploit this by leveraging specific conditions that allow for arbitrary code execution. This is a critical vulnerability that can lead to full system compromise and is relatively straightforward to exploit under the right circumstances.
Affected Software
- react-dev-utils
- >2.0.0, <2.0.2
- >5.0.0, <5.0.2
- >3.0.0, <3.1.2
- >1.0.0, <1.0.4
- >4.0.0, <4.2.2
Technical Details
The vulnerability in react-dev-utils on Windows platforms allows for remote code execution. While the description is brief, such vulnerabilities often stem from insecure command execution, improper handling of external input within shell commands, or path traversal issues combined with file execution. An attacker would likely inject malicious commands into a context where react-dev-utils processes input (e.g., file paths, configuration settings) and then executes them via system calls, leading to arbitrary code execution with the privileges of the running Node.js process. This typically involves crafting specially formed input that bypasses sanitization and is then used in an OS command.
What is the Impact of CVE-2018-6342?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, potentially leading to full system compromise, data theft, or further network penetration.
What is the Exploitability of CVE-2018-6342?
Exploitation of this remote code execution vulnerability is likely of moderate complexity. It can be achieved remotely if the react-dev-utils component is exposed to attacker-controlled input, typically without authentication. The prerequisites would involve an attacker identifying an input vector that react-dev-utils processes unsafely, particularly on a Windows environment. This could involve manipulating file paths, build configurations, or other parameters. The risk is significantly increased when react-dev-utils is used in development or build environments accessible to untrusted users, or if it processes unvalidated external data, as this could facilitate injection of malicious commands.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-6342?
Available Upgrade Options
- react-dev-utils
- >1.0.0, <1.0.4 → Upgrade to 1.0.4
- react-dev-utils
- >2.0.0, <2.0.2 → Upgrade to 2.0.2
- react-dev-utils
- >3.0.0, <3.1.2 → Upgrade to 3.1.2
- react-dev-utils
- >4.0.0, <4.2.2 → Upgrade to 4.2.2
- react-dev-utils
- >5.0.0, <5.0.2 → Upgrade to 5.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/facebook/create-react-app/releases/tag/v1.1.5
- https://osv.dev/vulnerability/GHSA-29gp-92wp-94q8
- https://nvd.nist.gov/vuln/detail/CVE-2018-6342
- https://github.com/facebook/create-react-app/pull/4866
- https://github.com/advisories/GHSA-29gp-92wp-94q8
- https://www.npmjs.com/advisories/695
- https://github.com/facebook/create-react-app
What are Similar Vulnerabilities to CVE-2018-6342?
Similar Vulnerabilities: CVE-2023-45133 , CVE-2022-21670 , CVE-2021-44795 , CVE-2020-8037 , CVE-2019-10777
