Miggo Logo

CVE-2018-6341: Cross-Site Scripting in react-dom

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.94458%
Published
1/4/2019
Updated
9/13/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
react-domnpm= 16.0.016.0.1
react-domnpm>= 16.1.0, < 16.1.216.1.2
react-domnpm= 16.2.016.2.1
react-domnpm>= 16.3.0, < 16.3.316.3.3
react-domnpm>= 16.4.0, < 16.4.216.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability exists in HTML attribute handling during SSR:

  1. createMarkupForProperty was missing attribute name validation (added in patch via isAttributeNameSafe check)
  2. isAttributeNameSafe had prototype pollution risks in cache handling

These functions appear in runtime profiles when:

  • Processing props with user-controlled attribute names
  • Generating HTML markup from React components
  • Validating DOM properties during server-side rendering

The test cases show direct exploitation through ReactDOMServer.renderToString() with malicious attribute names, which would flow through these functions. The patch adds validation at the attribute serialization layer (createMarkupForProperty) and hardens the validation helper (isAttributeNameSafe).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `r***t-*om` *r* vuln*r**l* to *ross-Sit* S*riptin* (XSS). T** p**k*** **ils to v*li**t* *ttri*ut* n*m*s in *TML t**s w*i** m*y l*** to *ross-Sit* S*riptin* in sp**i*i* s**n*rios. T*is m*y *llow *tt**k*rs to *x**ut* *r*itr*ry J*v*

Reasoning

T** *or* vuln*r**ility *xists in *TML *ttri*ut* **n*lin* *urin* SSR: *. *r**t*M*rkup*orProp*rty w*s missin* *ttri*ut* n*m* v*li**tion (***** in p*t** vi* is*ttri*ut*N*m*S*** ****k) *. is*ttri*ut*N*m*S*** *** prototyp* pollution risks in ***** **n*lin