CVE-2018-6342

Vulnerability

The react-dev-utils package, used by Create React App, on Windows contains a command injection vulnerability in its local development webserver. The server accepts a command to launch an editor, and the input to that command was not properly sanitized, allowing an attacker to inject arbitrary shell commands [2]. This affects versions 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2 [2][4]. The fix introduced a whitelist-based validation of file names using the regex /^[\p{L}0-9/.\-_]+$/u [3].

Exploitation

An attacker can exploit this vulnerability by making a network request to the local webserver, either via Cross-Site Request Forgery (CSRF) or by direct request if the server is accessible [2]. The attacker provides a crafted payload as the editor launch command argument, which due to insufficient sanitization, results in the execution of arbitrary commands on the Windows system running the development server [2]. No authentication is required; the attacker only needs network access to the server (typically on localhost, but could be exposed).

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the targeted system with the privileges of the user running the development server [2]. This constitutes a full remote code execution (RCE) vulnerability, leading to complete compromise of the affected host's confidentiality, integrity, and availability [2][4].

Mitigation

Users should upgrade react-dev-utils to the following patched versions: 1.0.4, 2.0.2, 3.1.2, 4.2.2, or 5.0.2 depending on the branch [4]. The fix was implemented in pull request #4866 and committed to the repository on August 22, 2018 [3]. There is no known workaround other than updating; the package is widely used with Create React App, which has since been deprecated in favor of framework-specific solutions [1].