react-dev-utils prior to v11.0.4 exposes a function, `getProcessForPort`, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.

Affected Packages

npm react-dev-utils

Affected versions: 0.4.0 (fixed in 11.0.4)

Related CVEs

CVE-2021-24033

Key Information

GHSA ID

GHSA-5q6m-3h65-w53x

Published

March 11, 2021 10:26 PM

Last Modified

August 3, 2022 5:21 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

react-dev-utils

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 10, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.