Security Alert - Package: react-dev-utils; Severity: MODERATE

Question

Security Alert - Package: react-dev-utils; Severity: MODERATE

Opened this issue 3 years ago · 0 comments

    Affected package: react-dev-utils
    Ecosystem: NPM
    Affected version range: >= 0.4.0, < 11.0.4

    Summary: Improper Neutralization of Special Elements used in an OS Command.
    Description: react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.
    identifiers: [{'type': 'GHSA', 'value': 'GHSA-5q6m-3h65-w53x'}, {'type': 'CVE', 'value': 'CVE-2021-24033'}]

    Fixed Version: 11.0.4
    Created Date = January 25, 2022

    

    ---