We discovered a minor vulnerability that might affect some apps using ReactDOMServer. We are releasing a patch version for every affected React minor release so that you can upgrade with no friction. Read on for more details.
\nToday, we are releasing a fix for a vulnerability we discovered in the react-dom/server implementation. It was introduced with the version 16.0.0 and has existed in all subsequent releases until today.
This vulnerability can only affect some server-rendered React apps. Purely client-rendered apps are not affected. Additionally, we expect that most server-rendered apps don’t contain the vulnerable pattern described below. Nevertheless, we recommend to follow the mitigation instructions at the earliest opportunity.
\nWhile we were investigating this vulnerability, we found similar vulnerabilities in a few other popular front-end libraries. We have coordinated this release together with Vue and Preact releases fixing the same issue. The tracking number for this vulnerability is CVE-2018-6341.
We have prepared a patch release with a fix for every affected minor version.
\nIf you’re using react-dom/server with this version:
react-dom@16.0.0Update to this version instead:
\nreact-dom@16.0.1 (contains the mitigation)If you’re using react-dom/server with one of these versions:
react-dom@16.1.0react-dom@16.1.1Update to this version instead:
\nreact-dom@16.1.2 (contains the mitigation)If you’re using react-dom/server with this version:
react-dom@16.2.0Update to this version instead:
\nreact-dom@16.2.1 (contains the mitigation)If you’re using react-dom/server with one of these versions:
react-dom@16.3.0react-dom@16.3.1react-dom@16.3.2Update to this version instead:
\nreact-dom@16.3.3 (contains the mitigation)If you’re using react-dom/server with one of these versions:
react-dom@16.4.0react-dom@16.4.1Update to this version instead:
\nreact-dom@16.4.2 (contains the mitigation)If you’re using a newer version of react-dom, no action is required.
Note that only the react-dom package needs to be updated.
Your app might be affected by this vulnerability only if both of these two conditions are true:
\nSpecifically, the vulnerable pattern looks like this:
\nlet props = {};\nprops[userProvidedData] = \"hello\";let element = <div {...props} />;\nlet html = ReactDOMServer.renderToString(element);In order to exploit it, the attacker would need to craft a special attribute name that triggers an XSS vulnerability. For example:
\nlet userProvidedData = '></div><script>alert(\"hi\")</script>';In the vulnerable versions of react-dom/server, the output would let the attacker inject arbitrary markup:
<div ></div><script>alert(\"hi\")</script>In the versions after the vulnerability was fixed (and before it was introduced), attributes with invalid names are skipped:
\n<div></div>You would also see a warning about an invalid attribute name.
\nNote that we expect attribute names based on user input to be very rare in practice. It doesn’t serve any common practical use case, and has other potential security implications that React can’t guard against.
\nReact v16.4.2 is available on the npm registry.
\nTo install React 16 with Yarn, run:
\nyarn add react@^16.4.2 react-dom@^16.4.2To install React 16 with npm, run:
\nnpm install --save react@^16.4.2 react-dom@^16.4.2We also provide UMD builds of React via a CDN:
\n<script crossorigin src=\"https://unpkg.com/react@16/umd/react.production.min.js\"></script>\n<script crossorigin src=\"https://unpkg.com/react-dom@16/umd/react-dom.production.min.js\"></script>Refer to the documentation for detailed installation instructions.
\nCVE-2018-6341). This fix is available in the latest react-dom@16.4.2, as well as in previous affected minor versions: react-dom@16.0.1, react-dom@16.1.2, react-dom@16.2.1, and react-dom@16.3.3. (@gaearon in #13302)hasOwnProperty. This fix is only available in react-dom@16.4.2. (@gaearon in #13303)