Moderate severityNVD Advisory· Published Dec 31, 2018· Updated May 6, 2025
CVE-2018-6341
CVE-2018-6341
Description
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
react-domnpm | >= 16.0.0, < 16.0.1 | 16.0.1 |
react-domnpm | >= 16.1.0, < 16.1.2 | 16.1.2 |
react-domnpm | >= 16.2.0, < 16.2.1 | 16.2.1 |
react-domnpm | >= 16.3.0, < 16.3.3 | 16.3.3 |
react-domnpm | >= 16.4.0, < 16.4.2 | 16.4.2 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-mvjj-gqq2-p4hwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-6341ghsaADVISORY
- reactjs.org/blog/2018/08/01/react-v-16-4-2.htmlghsax_refsource_MISCWEB
- snyk.io/vuln/npm:react-dom:20180802ghsaWEB
- twitter.com/reactjs/status/1024745321987887104ghsax_refsource_MISCWEB
- www.npmjs.com/advisories/1421ghsaWEB
News mentions
0No linked articles in our index yet.