CVE-2021-24033

CVE-2021-24033 affects react-dev-utils prior to v11.0.4, where the function getProcessForPort concatenates an input argument into a shell command. The issue is only exploitable if this function is called with user-supplied input (i.e., via custom code); using it from react-scripts (as in Create R...

CVE-2018-6342

The CVE-2018-6342 entry concerns react-dev-utils on Windows, where a local webserver accepts commands including one to launch an editor. The input to that command is not properly sanitized, enabling an attacker who can issue a network request (via CSRF or direct request) to execute arbitrary comm...