CVE-2018-6342 : react-dev-utils on Windows allows developers to run a local webserver for accept

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

Published 2018-12-31 22:29:00

Updated 2025-05-06 17:15:51

Source Facebook, Inc.

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Products affected by CVE-2018-6342

Facebook » React-dev-utils
Versions from including (>=) 5.0.0 and before (<) 5.0.2
cpe:2.3:a:facebook:react-dev-utils:*:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A
Facebook » React-dev-utils
Versions from including (>=) 4.0.0 and before (<) 4.2.2
cpe:2.3:a:facebook:react-dev-utils:*:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A
Facebook » React-dev-utils
Versions from including (>=) 1.0.0 and before (<) 1.0.4
cpe:2.3:a:facebook:react-dev-utils:*:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A
Facebook » React-dev-utils
Versions from including (>=) 2.0.0 and before (<) 2.0.2
cpe:2.3:a:facebook:react-dev-utils:*:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A
Facebook » React-dev-utils
Versions from including (>=) 3.0.0 and before (<) 3.1.2
cpe:2.3:a:facebook:react-dev-utils:*:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2018-6342

EPSS FAQ

0.79%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 72 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-6342

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-05-06
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-6342

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Assigned by:
- cve-assign@fb.com (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2018-6342

https://github.com/facebook/create-react-app/releases/tag/v1.1.5

Release v1.1.5 · facebook/create-react-app · GitHub
Release Notes;Third Party Advisory
https://github.com/facebook/create-react-app/pull/4866

Use file name whitelist to prevent RCE by acdlite · Pull Request #4866 · facebook/create-react-app · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2018-6342

Products affected by CVE-2018-6342

Exploit prediction scoring system (EPSS) score for CVE-2018-6342

CVSS scores for CVE-2018-6342

CWE ids for CVE-2018-6342

References for CVE-2018-6342