{"id":"CVE-2018-6342","details":"react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.","aliases":["GHSA-29gp-92wp-94q8"],"modified":"2026-04-09T06:21:39.000375Z","published":"2018-12-31T22:29:00.467Z","references":[{"type":"ADVISORY","url":"https://github.com/facebook/create-react-app/pull/4866"},{"type":"ADVISORY","url":"https://github.com/facebook/create-react-app/releases/tag/v1.1.5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebook/create-react-app","events":[{"introduced":"bf9eca25f519c73f69cff20ac49ce9500e578fe0"},{"fixed":"7e25c9a6046fe057d3b4cc2eae20a0661d0273f3"},{"introduced":"ac5376f9b9ef589961f0231608395cbc4d903ba1"},{"fixed":"f0784fc27f538935efe4080033f49bf7c89577f2"},{"introduced":"265c1592dcf3853122dcdd50e1bfc1e43f697fbe"},{"fixed":"a825e8f5e3b7ecd84a0bcef61bbc26eb4e8fd9c3"},{"introduced":"9673858a3715287c40aef9e800c431c7d45c05a2"},{"fixed":"f0784fc27f538935efe4080033f49bf7c89577f2"},{"fixed":"dc74990b89b5c6e143b522c759be3dac2c286514"}],"database_specific":{"versions":[{"introduced":"1.0.0"},{"fixed":"1.0.4"},{"introduced":"2.0.0"},{"fixed":"2.0.2"},{"introduced":"3.0.0"},{"fixed":"3.1.2"},{"introduced":"5.0.0"},{"fixed":"5.0.2"}]}}],"versions":["babel-plugin-named-asset-import@0.3.2","babel-plugin-named-asset-import@0.3.3","babel-preset-react-app@3.0.0","babel-preset-react-app@3.0.1","babel-preset-react-app@3.0.2","babel-preset-react-app@3.0.3","babel-preset-react-app@3.1.0","babel-preset-react-app@3.1.1","babel-preset-react-app@5.0.0","babel-preset-react-app@8.0.0","babel-preset-react-app@9.0.0","babel-preset-react-app@9.0.1","confusing-browser-globals@1.0.7","confusing-browser-globals@1.0.8","create-react-app@1.3.1","create-react-app@1.3.2","create-react-app@1.3.3","create-react-app@1.4.0","create-react-app@1.4.1","create-react-app@1.4.3","create-react-app@1.5.0","create-react-app@1.5.2","create-react-app@3.0.0","create-react-app@3.0.1","create-react-app@3.1.0","create-react-app@3.1.1","eslint-config-react-app@1.0.0","eslint-config-react-app@1.0.1","eslint-config-react-app@1.0.2","eslint-config-react-app@1.0.4","eslint-config-react-app@1.0.5","eslint-config-react-app@2.0.0","eslint-config-react-app@2.0.1","eslint-config-react-app@2.1.0","eslint-config-react-app@4.0.0","eslint-config-react-app@4.0.1","eslint-config-react-app@5.0.0","eslint-config-react-app@5.0.1","react-app-polyfill@0.1.1","react-app-polyfill@1.0.0","react-app-polyfill@1.0.1","react-app-polyfill@1.0.2","react-dev-utils@1.0.0","react-dev-utils@1.0.1","react-dev-utils@1.0.2","react-dev-utils@1.0.3","react-dev-utils@2.0.1","react-dev-utils@3.0.0","react-dev-utils@3.0.1","react-dev-utils@3.0.2","react-dev-utils@3.1.0","react-dev-utils@4.0.0","react-dev-utils@4.0.1","react-dev-utils@4.1.0","react-dev-utils@4.2.0","react-dev-utils@4.2.1","react-dev-utils@5.0.0","react-dev-utils@5.0.1","react-dev-utils@6.0.1","react-dev-utils@9.0.0","react-dev-utils@9.0.1","react-dev-utils@9.0.2","react-dev-utils@9.0.3","react-error-overlay@1.0.0","react-error-overlay@1.0.1","react-error-overlay@1.0.10","react-error-overlay@1.0.2","react-error-overlay@1.0.3","react-error-overlay@1.0.4","react-error-overlay@1.0.6","react-error-overlay@1.0.7","react-error-overlay@1.0.8","react-error-overlay@1.0.9","react-error-overlay@2.0.0","react-error-overlay@2.0.1","react-error-overlay@2.0.2","react-error-overlay@3.0.0","react-error-overlay@4.0.0","react-error-overlay@5.0.1","react-error-overlay@5.1.5","react-error-overlay@5.1.6","react-error-overlay@6.0.0","react-error-overlay@6.0.1","react-scripts@1.0.0","react-scripts@1.0.1","react-scripts@1.0.10","react-scripts@1.0.11","react-scripts@1.0.12","react-scripts@1.0.13","react-scripts@1.0.14","react-scripts@1.0.15","react-scripts@1.0.16","react-scripts@1.0.17","react-scripts@1.0.2","react-scripts@1.0.3","react-scripts@1.0.4","react-scripts@1.0.6","react-scripts@1.0.7","react-scripts@1.0.8","react-scripts@1.0.9","react-scripts@1.1.0","react-scripts@1.1.1","react-scripts@1.1.2","react-scripts@1.1.3","react-scripts@1.1.4","react-scripts@2.0.0","react-scripts@2.0.1","react-scripts@3.0.0","react-scripts@3.0.1","react-scripts@3.1.0","react-scripts@3.1.1","v1.0.0","v1.0.1","v1.0.10","v1.0.11","v1.0.12","v1.0.13","v1.0.16","v1.0.17","v1.0.2","v1.0.3","v1.0.4","v1.0.5","v1.0.6","v1.0.7","v1.0.8","v1.0.9","v1.1.0","v1.1.1","v1.1.2","v1.1.3","v1.1.4","v3.0.0","v3.0.1","v3.1.0","v3.1.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-6342.json","unresolved_ranges":[{"events":[{"introduced":"4.0.0"},{"fixed":"4.2.2"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}