CVE-2018-6342 — react-dev-utils on Windows vulnerable to Remote Code Execution

Description

`react-dev-utils` on Windows is vulnerable to remote code execution. ## Recommendation Update to one of the following versions, depending on the release line that you are using. - 1.0.4 - 2.0.2 - 3.1.2 - 4.2.2 - 5.0.2 - 6.0.0-next.a671462c

How to fix CVE-2018-6342

To remediate CVE-2018-6342, upgrade the affected package to a fixed version below.

npm/react-dev-utils—upgrade to 1.0.4 or later

Is CVE-2018-6342 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.0.0, < 1.0.4

References (6)

ADVISORYgithub.com/advisories/GHSA-29gp-92wp-94q8
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-6342
PATCHgithub.com/facebook/create-react-app
WEBgithub.com/facebook/create-react-app/pull/4866
WEB