Vulnerability Database

314,433

Total vulnerabilities in the database

Cross-Site Scripting in react

Versions of react prior to 0.14.0 are vulnerable to Cross-Site Scripting (XSS). The package's createElement function fails to properly validate its input object, allowing attackers to execute arbitrary JavaScript in a victim's browser.

Recommendation

Upgrade to version 0.14.0 or later.

Published: Sep 4, 2020
Updated: Apr 14, 2023
GHSA: GHSA-hg79-j56m-fxgv
Severity: High
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
@types / react	0.0.1	0.14.0

http://danlec.com/blog/xss-via-a-spoofed-react-element
https://reactjs.org/blog/2015/10/07/react-v0.14.html#notable-enhancements
https://reactjs.org/blog/2019/10/22/react-release-channels.html#experimental-channel
https://snyk.io/vuln/npm:react:20150318
https://www.npmjs.com/advisories/1347

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo