Cross-Site Scripting in react
Description
Affected versions of react are vulnerable to Cross-Site Scripting (XSS). The package fails to properly sanitize input used to create keys. This may allow attackers to execute arbitrary JavaScript if a key is generated from user input.
Recommendation
If you are using react 0.5.x, upgrade to version 0.5.2 or later. If you are using react 0.4.x, upgrade to version 0.4.2 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
React versions 0.4.x and 0.5.x are vulnerable to XSS via unsanitized keys that allow arbitrary JavaScript execution.
Vulnerability
Analysis
React versions 0.4.x and 0.5.x contain a cross-site scripting (XSS) vulnerability in the ReactTextComponent where the rootID used as a key is not properly sanitized before being rendered into the DOM. The component directly concatenates the rootID into an attribute string without escaping it, specifically in the mountComponent method where the rootID is placed into a span element's attribute [1][3][4].
Exploitation
An attacker can exploit this by supplying user-controlled data as a key for a React element. While typically keys are expected to be safe identifiers (like database IDs), if user-generated content is used as a key, a carefully crafted value can include malicious JavaScript that is not escaped. When the component is mounted, the unsanitized rootID is inserted into the HTML, allowing arbitrary JavaScript execution in the context of the application's domain [2].
Impact
Successful exploitation leads to XSS, enabling the attacker to execute arbitrary JavaScript in the browser of any user viewing the affected page. This can result in session hijacking, data theft, or other malicious actions depending on the application's use of user data as keys [2].
Mitigation
The vulnerability is fixed in React versions 0.4.2 and 0.5.2. Developers using affected versions should upgrade immediately. The fix, as shown in commits [3] and [4], adds the escapeTextForBrowser function call around the rootID to properly sanitize the value before inserting it into the DOM [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
reactnpm | >= 0.4.0, < 0.4.2 | 0.4.2 |
reactnpm | >= 0.5.0, < 0.5.2 | 0.5.2 |
Affected products
2Patches
2393a889aacebfixes ReactTextComponent rootID unescapedness
1 file changed · +1 −1
src/core/ReactTextComponent.js+1 −1 modified@@ -58,7 +58,7 @@ mixInto(ReactTextComponent, { mountComponent: function(rootID) { ReactComponent.Mixin.mountComponent.call(this, rootID); return ( - '<span ' + ReactMount.ATTR_NAME + '="' + rootID + '">' + + '<span ' + ReactMount.ATTR_NAME + '="' + escapeTextForBrowser(rootID) + '">' + escapeTextForBrowser(this.props.text) + '</span>' );
94a9a3e752fefixes ReactTextComponent rootID unescapedness
1 file changed · +1 −1
src/core/ReactTextComponent.js+1 −1 modified@@ -65,7 +65,7 @@ mixInto(ReactTextComponent, { mountDepth ); return ( - '<span ' + ReactMount.ATTR_NAME + '="' + rootID + '">' + + '<span ' + ReactMount.ATTR_NAME + '="' + escapeTextForBrowser(rootID) + '">' + escapeTextForBrowser(this.props.text) + '</span>' );
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-g53w-52xc-2j85ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-7035ghsaADVISORY
- github.com/facebook/react/commit/393a889aaceb761f058b09a701f889fa8f8b4e64ghsaWEB
- github.com/facebook/react/commit/94a9a3e752fe089ab23f3a90c26d20d46d62ab10ghsaWEB
- reactjs.org/blog/2013/12/18/react-v0.5.2-v0.4.2.htmlghsaWEB
- snyk.io/vuln/npm:react:20131217ghsaWEB
News mentions
0No linked articles in our index yet.