CVE-2021-24033
command injection vulnerability in react-dev-utils (npm)
What is CVE-2021-24033 About?
The `react-dev-utils` package prior to v11.0.4 contains a command injection vulnerability in the `getProcessForPort` function. Although safe when used in Create React App projects, custom code manually invoking this function with user-provided arguments can lead to arbitrary command execution. Exploitation requires specific misuse of the function with untrusted input.
Affected Software
Technical Details
The react-dev-utils package's getProcessForPort function is vulnerable to command injection. This function is designed to execute system commands internally. The issue arises because an input argument to this function is concatenated directly into the command string without proper sanitization. While its intended use within react-scripts is secure, any custom code that manually calls getProcessForPort and passes user-controlled or otherwise untrusted values as arguments would enable an attacker to inject and execute arbitrary shell commands.
What is the Impact of CVE-2021-24033?
Successful exploitation may allow attackers to execute arbitrary commands on the underlying operating system with the privileges of the affected application.
What is the Exploitability of CVE-2021-24033?
Exploitation of this vulnerability is highly specific and requires custom code to misuse the getProcessForPort function. The complexity is moderate, as it relies on developers manually invoking the function with untrusted input, rather than its intended safe usage within react-scripts. Authentication and privilege requirements would depend entirely on how and where the getProcessForPort function is exposed in the custom code. If it's part of a user-facing API or service, no special authentication might be needed. This could be a remote or local vulnerability depending on the accessibility of the misused function. The primary risk factor is custom implementations that deviate from the standard react-scripts usage and inadvertently process untrusted input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-24033?
Available Upgrade Options
- react-dev-utils
- >0.4.0, <11.0.4 → Upgrade to 11.0.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.facebook.com/security/advisories/cve-2021-24033
- https://www.huntr.dev/bounties/1-npm-react-dev-utils
- https://github.com/facebook/create-react-app
- https://github.com/facebook/create-react-app/pull/10644
- https://github.com/facebook/create-react-app/commit/f5e415f3a5b66f07dcc60aba1b445fa7cda97268
- https://nvd.nist.gov/vuln/detail/CVE-2021-24033
- https://osv.dev/vulnerability/GHSA-5q6m-3h65-w53x
What are Similar Vulnerabilities to CVE-2021-24033?
Similar Vulnerabilities: CVE-2020-15169 , CVE-2021-39144 , CVE-2019-10777 , CVE-2022-24756 , CVE-2019-10769
