Moderate severityNVD Advisory· Published Oct 19, 2023· Updated Sep 12, 2024
CVE-2023-5654
CVE-2023-5654
Description
The React Developer Tools extension registers a message listener with window.addEventListener('message', ) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL’s via the victim's browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
react-devtools-corenpm | < 4.28.4 | 4.28.4 |
Affected products
2- Meta/React Developer Tools Extensionv5Range: < 4.28.4
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-rxrc-rgv4-jpvxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-5654ghsaADVISORY
- gist.github.com/CalumHutton/1fb89b64409570a43f89d1fd3274b231ghsaWEB
- github.com/facebook/react/commit/09285d5a7f1c08bec09f44cec3d0518a603597fcghsaWEB
- github.com/facebook/react/commit/94d5b5b2bf5204ebd289a113989c0e2c51b626efghsaWEB
- github.com/facebook/react/pull/27417ghsaWEB
News mentions
0No linked articles in our index yet.