CVE-2018-6341

CVE-2018-6341

Vendor Facebook

Product react-dom

Weakness CWE-79 · XSS

Published December 31, 2018

Last update May 6, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

Key dates

02Disclosure timeline

December 31, 2018 CVE published

May 6, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2018-6341 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2018-6341

CWE CWE-79

Affected versions

Vendor Facebook

Product react-dom

Affected 16.4.2

Vendor Facebook

Product react-dom

Affected ≥ 16.4.0 and < unspecified

Vendor Facebook

Product react-dom

Affected 16.3.3

Vendor Facebook

Product react-dom

Affected ≥ 16.3.0 and < unspecified

Vendor Facebook

Product react-dom

Affected 16.2.1

Vendor Facebook

Product react-dom

Affected ≥ 16.2.0 and < unspecified

Vendor Facebook

Product react-dom

Affected 16.1.2

Vendor Facebook

Product react-dom

Affected ≥ 16.1.0 and < unspecified

Vendor Facebook

Product react-dom

Affected 16.0.1

Vendor Facebook

Product react-dom

Affected ≥ 16.0.0 and < unspecified

01Description

02Disclosure timeline

03References

04Related CVE