Last tested: 26 May, 2018

react vulnerabilities

React is a JavaScript library for building user interfaces.

View on npm

react (latest)

Published 24 May, 2018

Known vulnerabilities0
Vulnerable paths0
Dependencies20

No known vulnerabilities in react

Security wise, react seems to be a safe package to use.
Over time, new vulnerabilities may be disclosed on react and other packages. To easily find, fix and prevent such vulnerabilties, protect your repos with Snyk!

Vulnerable versions of react

Fixed in 0.14.0

Cross-site Scripting (XSS)

high severity

Detailed paths

  • Introduced through: react@0.13.3

Overview

react is React is a JavaScript library for building user interfaces..

Affected versions of the package are vulnerable to Cross-site Scripting (XSS) due to the createElement method not validating the object, allowing a malicious user to pass a specially crafted JSON object and renders them as an element.

Details

Cross-Site Scripting (XSS) attacks occur when an attacker tricks a user’s browser to execute malicious JavaScript code in the context of a victim’s domain. Such scripts can steal the user’s session cookies for the domain, scrape or modify its content, and perform or modify actions on the user’s behalf, actions typically blocked by the browser’s Same Origin Policy.

These attacks are possible by escaping the context of the web application and injecting malicious scripts in an otherwise trusted website. These scripts can introduce additional attributes (say, a "new" option in a dropdown list or a new link to a malicious site) and can potentially execute code on the clients side, unbeknown to the victim. This occurs when characters like \< > \" \' are not escaped properly.

There are a few types of XSS:

  • Persistent XSS is an attack in which the malicious code persists into the web app’s database.
  • Reflected XSS is an which the website echoes back a portion of the request. The attacker needs to trick the user into clicking a malicious link (for instance through a phishing email or malicious JS on another page), which triggers the XSS attack.
  • DOM-based XSS is an that occurs purely in the browser when client-side JavaScript echoes back a portion of the URL onto the page. DOM-Based XSS is notoriously hard to detect, as the server never gets a chance to see the attack taking place.

Remediation

Upgrade react to version 0.14.0 or higher.

References

Fixed in 0.5.2

Cross-site Scripting (XSS)

medium severity
  • Vulnerable module: react
  • Introduced through: react@0.5.1

Detailed paths

  • Introduced through: react@0.5.1

Overview

react is React is a JavaScript library for building user interfaces..

Affected versions of the package contain Cross-site Scripting (XSS) vulnerability due to unescaped text before inserted into the DOM.

A Cross-site Scripting (XSS) vulnerability can arise when using user data as a key. Typically "safe" data is used for a key, for example, an id from your database, or a unique hash. However there are cases where it may be reasonable to use user generated content. A carefully crafted piece of content could result in arbitrary code execution.

Details

Cross-Site Scripting (XSS) attacks occur when an attacker tricks a user’s browser to execute malicious JavaScript code in the context of a victim’s domain. Such scripts can steal the user’s session cookies for the domain, scrape or modify its content, and perform or modify actions on the user’s behalf, actions typically blocked by the browser’s Same Origin Policy.

These attacks are possible by escaping the context of the web application and injecting malicious scripts in an otherwise trusted website. These scripts can introduce additional attributes (say, a "new" option in a dropdown list or a new link to a malicious site) and can potentially execute code on the clients side, unbeknown to the victim. This occurs when characters like \< > \" \' are not escaped properly.

There are a few types of XSS:

  • Persistent XSS is an attack in which the malicious code persists into the web app’s database.
  • Reflected XSS is an which the website echoes back a portion of the request. The attacker needs to trick the user into clicking a malicious link (for instance through a phishing email or malicious JS on another page), which triggers the XSS attack.
  • DOM-based XSS is an that occurs purely in the browser when client-side JavaScript echoes back a portion of the URL onto the page. DOM-Based XSS is notoriously hard to detect, as the server never gets a chance to see the attack taking place.

Remediation

This vulnerability only affects v0.5.x and v0.4.x. Versions in the 0.3.x family are unaffected. Upgrade react to version 0.5.2\0.4.2 or higher.

References