{"url":"http://public2.vulnerablecode.io/api/packages/57250?format=json","purl":"pkg:npm/react-dev-utils@2.0.0","type":"npm","namespace":"","name":"react-dev-utils","version":"2.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"11.0.4","latest_non_vulnerable_version":"11.0.4","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40563?format=json","vulnerability_id":"VCID-r83h-uj95-zugy","summary":"Cross-Site Request Forgery (CSRF)\nreact-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6342","reference_id":"","reference_type":"","scores":[{"value":"0.00794","scoring_system":"epss","scoring_elements":"0.74315","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6342"},{"reference_url":"https://github.com/advisories/GHSA-29gp-92wp-94q8","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-29gp-92wp-94q8"},{"reference_url":"https://github.com/facebook/create-react-app","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/facebook/create-react-app"},{"reference_url":"https://github.com/facebook/create-react-app/pull/4866","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/facebook/create-react-app/pull/4866"},{"reference_url":"https://github.com/facebook/create-react-app/releases/tag/v1.1.5","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/facebook/create-react-app/releases/tag/v1.1.5"},{"reference_url":"https://www.npmjs.com/advisories/695","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/695"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6342","reference_id":"CVE-2018-6342","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6342"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57255?format=json","purl":"pkg:npm/react-dev-utils@2.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ry3h-v6dm-qba9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/react-dev-utils@2.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/57256?format=json","purl":"pkg:npm/react-dev-utils@3.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ry3h-v6dm-qba9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/react-dev-utils@3.1.2"},{"url":"http://public2.vulnerablecode.io/api/packages/57257?format=json","purl":"pkg:npm/react-dev-utils@4.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ry3h-v6dm-qba9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/react-dev-utils@4.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/57258?format=json","purl":"pkg:npm/react-dev-utils@5.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ry3h-v6dm-qba9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/react-dev-utils@5.0.2"}],"aliases":["CVE-2018-6342","GHSA-29gp-92wp-94q8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r83h-uj95-zugy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54142?format=json","vulnerability_id":"VCID-ry3h-v6dm-qba9","summary":"OS Command Injection\nreact-dev-utils exposes a function, `getProcessForPort`, where an input argument is concatenated into a command string to be executed.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-24033.json","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-24033.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-24033","reference_id":"","reference_type":"","scores":[{"value":"0.01439","scoring_system":"epss","scoring_elements":"0.81057","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-24033"},{"reference_url":"https://github.com/facebook/create-react-app","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/facebook/create-react-app"},{"reference_url":"https://github.com/facebook/create-react-app/commit/f5e415f3a5b66f07dcc60aba1b445fa7cda97268","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/facebook/create-react-app/commit/f5e415f3a5b66f07dcc60aba1b445fa7cda97268"},{"reference_url":"https://github.com/facebook/create-react-app/pull/10644","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/facebook/create-react-app/pull/10644"},{"reference_url":"https://www.huntr.dev/bounties/1-npm-react-dev-utils","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.huntr.dev/bounties/1-npm-react-dev-utils"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1936805","reference_id":"1936805","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1936805"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-24033","reference_id":"CVE-2021-24033","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-24033"},{"reference_url":"https://www.facebook.com/security/advisories/cve-2021-24033","reference_id":"CVE-2021-24033","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.facebook.com/security/advisories/cve-2021-24033"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79914?format=json","purl":"pkg:npm/react-dev-utils@11.0.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/react-dev-utils@11.0.4"}],"aliases":["CVE-2021-24033","GHSA-5q6m-3h65-w53x"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ry3h-v6dm-qba9"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/react-dev-utils@2.0.0"}