<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>React-Dev-Utils - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/react-dev-utils/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 08:23:22 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/react-dev-utils/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-14802: Remote OS Command Injection in React Create React App</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14802-react-create-react-app/</link><pubDate>Mon, 06 Jul 2026 08:23:22 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14802-react-create-react-app/</guid><description>A high-severity OS command injection vulnerability (CVE-2026-14802) exists in `react create-react-app` up to version 5.0.1, specifically within the `startBrowserProcess` function of the `openBrowser.js` file in the `react-dev-utils` component, allowing for remote exploitation and arbitrary OS command execution on affected macOS development environments.</description><content:encoded><![CDATA[<p>A significant OS command injection vulnerability, tracked as CVE-2026-14802, has been identified in <code>react create-react-app</code> versions up to 5.0.1. This flaw specifically impacts macOS systems running development environments utilizing the <code>react-dev-utils</code> component, particularly within the <code>startBrowserProcess</code> function found in <code>openBrowser.js</code>. The vulnerability allows for remote exploitation, enabling an unauthenticated attacker to inject and execute arbitrary operating system commands. An exploit for this vulnerability is now publicly available, increasing the risk of widespread attacks against exposed development instances. This vulnerability was initially reported via an issue, but the project maintainers have not yet responded.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An attacker identifies a <code>create-react-app</code> development server, version 5.0.1 or earlier, running on a macOS machine and exposed to the network, often due to misconfiguration or lack of proper network segmentation.</li>
<li><strong>Vulnerability Identification</strong>: The attacker determines that the exposed <code>create-react-app</code> instance is vulnerable to CVE-2026-14802, specifically targeting the <code>startBrowserProcess</code> function within the <code>react-dev-utils</code> component.</li>
<li><strong>Command Injection</strong>: The attacker crafts and sends a specially malicious request to the <code>create-react-app</code> development server, embedding OS commands within the input intended for the <code>startBrowserProcess</code> function in <code>openBrowser.js</code>.</li>
<li><strong>OS Command Execution</strong>: The vulnerable <code>startBrowserProcess</code> function processes the unsanitized input, leading to the execution of the injected OS commands with the privileges of the running <code>create-react-app</code> process on the macOS system.</li>
<li><strong>Payload Delivery and Persistence</strong>: The executed commands can then download and launch additional malicious payloads, such as reverse shells, infostealers, or ransomware, and establish persistence mechanisms on the compromised developer workstation.</li>
<li><strong>Lateral Movement and Data Exfiltration</strong>: With control over the developer's machine, the attacker can move laterally within the network, access source code repositories, exfiltrate sensitive intellectual property, or steal credentials.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-14802 can lead to severe consequences for organizations. Attackers gaining control over a developer's workstation can compromise sensitive intellectual property, such as proprietary source code, design documents, and API keys. This can lead to data breaches, supply chain attacks if malicious code is injected into software projects, and unauthorized access to internal systems. The remote and unauthenticated nature of the vulnerability, coupled with the public availability of exploit code, increases the likelihood of rapid and widespread exploitation if development environments are not adequately secured.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch <code>create-react-app</code></strong>: Immediately update <code>create-react-app</code> to a version beyond 5.0.1 to remediate CVE-2026-14802.</li>
<li><strong>Isolate Development Environments</strong>: Ensure <code>create-react-app</code> development servers and other development tools are not exposed to untrusted networks and are properly segmented from production environments.</li>
<li><strong>Implement Endpoint Detection &amp; Response (EDR)</strong>: Deploy EDR solutions on all macOS developer workstations to monitor for suspicious process creation and network connections that may indicate exploitation.</li>
<li><strong>Monitor for Public Exploits</strong>: Actively monitor public sources, including the references listed in this brief, for new exploit details or proof-of-concepts related to CVE-2026-14802.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>command-injection</category><category>macos</category><category>web-application</category></item></channel></rss>