CVE-2026-14802: Remote OS Command Injection in React Create React App
A high-severity OS command injection vulnerability (CVE-2026-14802) exists in `react create-react-app` up to version 5.0.1, specifically within the `startBrowserProcess` function of the `openBrowser.js` file in the `react-dev-utils` component, allowing for remote exploitation and arbitrary OS command execution on affected macOS development environments.
A significant OS command injection vulnerability, tracked as CVE-2026-14802, has been identified in react create-react-app versions up to 5.0.1. This flaw specifically impacts macOS systems running development environments utilizing the react-dev-utils component, particularly within the startBrowserProcess function found in openBrowser.js. The vulnerability allows for remote exploitation, enabling an unauthenticated attacker to inject and execute arbitrary operating system commands. An exploit for this vulnerability is now publicly available, increasing the risk of widespread attacks against exposed development instances. This vulnerability was initially reported via an issue, but the project maintainers have not yet responded.
Attack Chain
- Initial Access: An attacker identifies a
create-react-appdevelopment server, version 5.0.1 or earlier, running on a macOS machine and exposed to the network, often due to misconfiguration or lack of proper network segmentation. - Vulnerability Identification: The attacker determines that the exposed
create-react-appinstance is vulnerable to CVE-2026-14802, specifically targeting thestartBrowserProcessfunction within thereact-dev-utilscomponent. - Command Injection: The attacker crafts and sends a specially malicious request to the
create-react-appdevelopment server, embedding OS commands within the input intended for thestartBrowserProcessfunction inopenBrowser.js. - OS Command Execution: The vulnerable
startBrowserProcessfunction processes the unsanitized input, leading to the execution of the injected OS commands with the privileges of the runningcreate-react-appprocess on the macOS system. - Payload Delivery and Persistence: The executed commands can then download and launch additional malicious payloads, such as reverse shells, infostealers, or ransomware, and establish persistence mechanisms on the compromised developer workstation.
- Lateral Movement and Data Exfiltration: With control over the developer's machine, the attacker can move laterally within the network, access source code repositories, exfiltrate sensitive intellectual property, or steal credentials.
Impact
Successful exploitation of CVE-2026-14802 can lead to severe consequences for organizations. Attackers gaining control over a developer's workstation can compromise sensitive intellectual property, such as proprietary source code, design documents, and API keys. This can lead to data breaches, supply chain attacks if malicious code is injected into software projects, and unauthorized access to internal systems. The remote and unauthenticated nature of the vulnerability, coupled with the public availability of exploit code, increases the likelihood of rapid and widespread exploitation if development environments are not adequately secured.
Recommendation
- Patch
create-react-app: Immediately updatecreate-react-appto a version beyond 5.0.1 to remediate CVE-2026-14802. - Isolate Development Environments: Ensure
create-react-appdevelopment servers and other development tools are not exposed to untrusted networks and are properly segmented from production environments. - Implement Endpoint Detection & Response (EDR): Deploy EDR solutions on all macOS developer workstations to monitor for suspicious process creation and network connections that may indicate exploitation.
- Monitor for Public Exploits: Actively monitor public sources, including the references listed in this brief, for new exploit details or proof-of-concepts related to CVE-2026-14802.
Indicators of compromise
6
url
| Type | Value |
|---|---|
| url | https://github.com/react/create-react-app/ |
| url | https://github.com/react/create-react-app/issues/17269 |
| url | https://vuldb.com/cve/CVE-2026-14802 |
| url | https://vuldb.com/submit/850857 |
| url | https://vuldb.com/vuln/376396 |
| url | https://vuldb.com/vuln/376396/cti |