CVE-2021-24033
Description
react-dev-utils prior to v11.0.4 allows command injection via the getProcessForPort function when called with user-controlled input, though typical usage via react-scripts is safe.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
react-dev-utils prior to v11.0.4 allows command injection via the getProcessForPort function when called with user-controlled input, though typical usage via react-scripts is safe.
Vulnerability
Overview
The vulnerability resides in the getProcessForPort function within react-dev-utils versions prior to v11.0.4. This function constructs a command string by concatenating an input argument directly into a shell command, which is then executed using execSync. When the input argument is derived from untrusted user input, an attacker can inject arbitrary shell commands, leading to command injection [1][2][4].
Exploitation
Conditions
In typical usage, getProcessForPort is called internally by react-scripts (part of Create React App) with controlled, safe arguments, making the attack surface minimal for standard projects. However, if a developer manually invokes this function with user-provided values (e.g., from a web request or other external source), the application becomes vulnerable. No authentication is required if the attacker can supply input to such custom code [2][4].
Impact
Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the Node.js process. This could lead to data exfiltration, system compromise, or further lateral movement within the environment [2][4].
Mitigation
The issue was patched in react-dev-utils v11.0.4 by replacing execSync with execFileSync, which does not pass arguments through a shell and thus prevents command injection [3]. Users should update to v11.0.4 or later. Note that Create React App is now deprecated, and users are encouraged to migrate to modern React frameworks [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
react-dev-utilsnpm | >= 0.4.0, < 11.0.4 | 11.0.4 |
Affected products
2- Range: unspecified
Patches
1f5e415f3a5b6Security Fix for Command Injection - huntr.dev (#10644)
1 file changed · +2 −1
packages/react-dev-utils/getProcessForPort.js+2 −1 modified@@ -9,6 +9,7 @@ var chalk = require('chalk'); var execSync = require('child_process').execSync; +var execFileSync = require('child_process').execFileSync; var path = require('path'); var execOptions = { @@ -25,7 +26,7 @@ function isProcessAReactApp(processCommand) { } function getProcessIdOnPort(port) { - return execSync('lsof -i:' + port + ' -P -t -sTCP:LISTEN', execOptions) + return execFileSync('lsof', ['-i:' + port, '-P', '-t', '-sTCP:LISTEN'], execOptions) .split('\n')[0] .trim(); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-5q6m-3h65-w53xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-24033ghsaADVISORY
- github.com/facebook/create-react-app/commit/f5e415f3a5b66f07dcc60aba1b445fa7cda97268ghsaWEB
- github.com/facebook/create-react-app/pull/10644ghsax_refsource_MISCWEB
- www.facebook.com/security/advisories/cve-2021-24033ghsax_refsource_CONFIRMWEB
- www.huntr.dev/bounties/1-npm-react-dev-utilsghsaWEB
News mentions
0No linked articles in our index yet.