Source: cve-assign@fb.com
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.
React applications using the ReactDOMServer API were vulnerable to Cross-Site Scripting (XSS) attacks due to improper escaping of user-supplied attribute names during HTML rendering. This flaw allowed attackers to inject malicious JavaScript code into web pages, potentially leading to account compromise and data theft.
The vulnerability stems from a lack of proper input sanitization and output encoding within the ReactDOMServer API when rendering HTML attributes. Specifically, the code did not escape user-provided attribute names before including them in the generated HTML. This allowed an attacker to inject malicious JavaScript code by crafting attribute names that, when rendered, would execute arbitrary code within the context of the vulnerable website. The root cause is a missing or inadequate implementation of HTML entity encoding for attribute names, allowing for the injection of JavaScript code through crafted attribute names. The lack of proper escaping allowed for the injection of malicious JavaScript code through crafted attribute names. The flaw is not a buffer overflow or race condition, but a simple failure to encode user-supplied data before outputting it to the browser.
While no specific APTs are directly linked to this specific CVE, XSS vulnerabilities are commonly exploited by various threat actors. This type of vulnerability is often used in the early stages of an attack chain. Not listed on CISA KEV.
Monitor web server logs for unusual HTTP requests containing potentially malicious attribute names (e.g., those containing JavaScript event handlers like onmouseover, onload, or onclick).
Analyze HTML source code for unexpected or suspicious attribute names that may contain JavaScript code.
Implement a Content Security Policy (CSP) to restrict the execution of inline scripts and scripts from untrusted sources.
Use a Web Application Firewall (WAF) to detect and block XSS attempts based on signature-based or behavior-based rules.
Review application code for instances where user-supplied data is used to generate HTML attributes. Look for missing or inadequate escaping mechanisms.
Upgrade to a patched version of React (16.0.1, 16.1.2, 16.2.1, 16.3.3, or 16.4.2 or later).
Implement proper input validation and sanitization to ensure that user-supplied data conforms to expected formats and does not contain malicious code.
Use output encoding (e.g., HTML entity encoding) to escape all user-supplied data before rendering it as HTML attributes. This will prevent the browser from interpreting the data as executable code.
Implement a Content Security Policy (CSP) to mitigate the impact of XSS vulnerabilities by restricting the sources from which the browser can load resources (e.g., scripts, stylesheets, images).
Use a Web Application Firewall (WAF) to detect and block XSS attempts.