CVE-2023-5654
Information Disclosure vulnerability in react-devtools-core (npm)
What is CVE-2023-5654 About?
The React Developer Tools extension contains an information disclosure vulnerability where it fetches unvalidated URLs provided in messages. A malicious webpage can send a specially crafted message to the extension, causing it to arbitrarily fetch URLs via the victim's browser. This allows for potential SSRF-like behavior and is moderately easy to exploit.
Affected Software
Technical Details
The vulnerability exists in the React Developer Tools extension, specifically within a content script that registers a message listener via window.addEventListener('message', <listener>). This listener processes incoming messages from any webpage. The core flaw is that the code within this listener retrieves a URL from the received message and then uses fetch() to access this URL without any prior validation or sanitization. Consequently, a malicious webpage can craft a message containing an arbitrary URL (e.g., an internal network resource or a sensitive external endpoint). When this message is sent to the extension, the extension's content script will execute the fetch() request using the victim's browser context, potentially bypassing same-origin policies or firewall rules, leading to server-side request forgery (SSRF)-like behavior or internal network scanning.
What is the Impact of CVE-2023-5654?
Successful exploitation may allow attackers to probe internal networks, bypass browser security policies, or make unauthorized requests to internal resources on behalf of the victim. This can lead to information disclosure or further attacks within an internal network.
What is the Exploitability of CVE-2023-5654?
Exploitation requires low to moderate complexity. The attacker must control a malicious webpage that the victim visits. From this webpage, the attacker can send a specially crafted message to the React Developer Tools extension. No authentication or specific privileges are required on the victim's browser beyond having the extension installed and active. This is a remote attack as it originates from a malicious webpage. The primary condition is that the victim has the vulnerable version of the React Developer Tools extension installed and running in their browser. The lack of URL validation makes exploitation highly probable if a user browses to a malicious site.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-5654?
Available Upgrade Options
- react-devtools-core
- <4.28.4 → Upgrade to 4.28.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://gist.github.com/CalumHutton/1fb89b64409570a43f89d1fd3274b231
- https://github.com/facebook/react/commit/94d5b5b2bf5204ebd289a113989c0e2c51b626ef
- https://nvd.nist.gov/vuln/detail/CVE-2023-5654
- https://osv.dev/vulnerability/GHSA-rxrc-rgv4-jpvx
- https://github.com/facebook/react
- https://github.com/facebook/react/pull/27417
- https://gist.github.com/CalumHutton/1fb89b64409570a43f89d1fd3274b231
- https://github.com/facebook/react/commit/09285d5a7f1c08bec09f44cec3d0518a603597fc
What are Similar Vulnerabilities to CVE-2023-5654?
Similar Vulnerabilities: CVE-2020-1599 , CVE-2020-6819 , CVE-2021-22902 , CVE-2022-26462 , CVE-2023-38831
