VYPR
← All advisories
Critical severityNVD Advisory· Published Dec 31, 2018· Updated May 6, 2025

CVE-2018-6333

CVE-2018-6333

Description

Nuclide's hhvm-attach deep link handler lacked hostname sanitization, allowing HTML injection that could lead to code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nuclide's hhvm-attach deep link handler lacked hostname sanitization, allowing HTML injection that could lead to code execution.

Vulnerability

The hhvm-attach deep link handler in Nuclide did not properly sanitize the hostname parameter before rendering it in the editor's context. This allowed an attacker to inject arbitrary HTML and other content by crafting a malicious URL. The issue affects Nuclide versions prior to v0.290.0 [1].

Exploitation

An attacker needs only to craft a URL with a malicious hostname parameter containing HTML or script content and convince a user to open it in Nuclide. The handler would then render the injected content within the editor's context. The fix introduced in commit 65f6bbd validates the hostname against RFC 952, rejecting any characters outside [A-Za-z0-9\-._], which prevents injection [2].

Impact

Successful exploitation allows the attacker to render arbitrary HTML and other content inside the editor's context. This could potentially be chained to achieve code execution, as the injected content runs within the privileged editor environment [1].

Mitigation

The vulnerability is fixed in Nuclide v0.290.0. The fix adds hostname validation that rejects invalid characters, as shown in the commit 65f6bbd [2]. No workaround is available for earlier versions. Note that the Nuclide repository has been archived and is no longer maintained [2].

References
  1. NVD - CVE-2018-6333
  2. Ignore invalid hostnames in hhvm-attach deep link · facebookarchive/nuclide@65f6bbd

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nuclidenpm
< 0.290.00.290.0

Affected products

2

Patches

1
65f6bbd68340

Ignore invalid hostnames in hhvm-attach deep link

https://github.com/facebook/nuclideEric BluesteinMar 16, 2018via ghsa
commit
1 file changed · +11 0
  • pkg/nuclide-hhvm/lib/main.js+11 0 modified
    @@ -113,6 +113,17 @@ class Activation {
     }
 
     const host = nuclideUri.getHostname(pathString);
+
+    // Allow only valid hostname characters, per RFC 952:
+    // https://tools.ietf.org/html/rfc952
+    const invalidMatch = host.match(/[^A-Za-z0-9\-._]+/);
+    if (invalidMatch != null) {
+      atom.notifications.addError(
+        'The specified host name contained invalid characters.',
+      );
+      return;
+    }
+
     const cwd = nuclideUri.createRemoteUri(host, hackRootString);
     const notification = atom.notifications.addInfo(
       startDebugger

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.