6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-6341

GHSA ID

GHSA-mvjj-gqq2-p4hw

EPSS Score

0.94458%

CWE

CWE-79

Published

1/4/2019

Updated

9/13/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-6341

CVE-2018-6341: Cross-Site Scripting in react-dom

Affected versions of react-dom are vulnerable to Cross-Site Scripting (XSS). The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim's browser. To be affected by this vulnerability, the application needs to:

be a server-side React app
be rendered to HTML using ReactDOMServer
include an attribute name from user input in an HTML tag

Recommendation

If you are using react-dom 16.0.x, upgrade to 16.0.1 or later.
If you are using react-dom 16.1.x, upgrade to 16.1.2 or later.
If you are using react-dom 16.2.x, upgrade to 16.2.1 or later.
If you are using react-dom 16.3.x, upgrade to 16.3.3 or later.
If you are using react-dom 16.4.x, upgrade to 16.4.2 or later.

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-6341

GHSA ID

GHSA-mvjj-gqq2-p4hw

EPSS Score

0.94458%

CWE

CWE-79

Published

1/4/2019

Updated

9/13/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
react-dom	npm	= 16.0.0	16.0.1
react-dom	npm	>= 16.1.0, < 16.1.2	16.1.2
react-dom	npm	= 16.2.0	16.2.1
react-dom	npm	>= 16.3.0, < 16.3.3	16.3.3
react-dom	npm	>= 16.4.0, < 16.4.2	16.4.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability exists in HTML attribute handling during SSR:

createMarkupForProperty was missing attribute name validation (added in patch via isAttributeNameSafe check)
isAttributeNameSafe had prototype pollution risks in cache handling

These functions appear in runtime profiles when:

Processing props with user-controlled attribute names
Generating HTML markup from React components
Validating DOM properties during server-side rendering

The test cases show direct exploitation through ReactDOMServer.renderToString() with malicious attribute names, which would flow through these functions. The patch adds validation at the attribute serialization layer (createMarkupForProperty) and hardens the validation helper (isAttributeNameSafe).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `r***t-*om` *r* vuln*r**l* to *ross-Sit* S*riptin* (XSS). T** p**k*** **ils to v*li**t* *ttri*ut* n*m*s in *TML t**s w*i** m*y l*** to *ross-Sit* S*riptin* in sp**i*i* s**n*rios. T*is m*y *llow *tt**k*rs to *x**ut* *r*itr*ry J*v*

Reasoning

T** *or* vuln*r**ility *xists in *TML *ttri*ut* **n*lin* *urin* SSR: *. *r**t*M*rkup*orProp*rty w*s missin* *ttri*ut* n*m* v*li**tion (***** in p*t** vi* is*ttri*ut*N*m*S*** ****k) *. is*ttri*ut*N*m*S*** *** prototyp* pollution risks in ***** **n*lin

6.1

Basic Information

Concerned about an active attack path?

CVE-2018-6341: Cross-Site Scripting in react-dom

Recommendation

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI