Impact
The vulnerability exists in the startBrowserProcess function within openBrowser.js of react-dev-utils, a component of create‑react‑app. On macOS systems, manipulated input can be injected into the operating system command that the function executes, enabling an attacker to run arbitrary commands with the privileges of the node process. The description explicitly states that remote exploitation is possible and that public exploits are available. This weakness falls under CWE‑77 and CWE‑78, signifying improper validation of command arguments and insecure command execution.
Affected Systems
The affected vendor is React for the create‑react‑app package. Versions up to and including 5.0.1 are impacted, as documented in the CVE description. Users of this package on macOS should be aware that any installation that has not yet been updated to a later release is vulnerable.
Risk and Exploitability
The CVSS score of 6.9 indicates moderate severity. The EPSS score of 1% shows a low exploitation probability at the time of analysis, yet the fact that a public exploit exists raises the practical risk. The vulnerability is not listed in the CISA KEV catalog, but the exposed attack surface can be leveraged from a remote context, particularly on development environments that automatically launch browsers.
OpenCVE Enrichment