CVE-2018-6333

Name of the Vulnerable Software and Affected Versions Nuclide versions prior to 0.290.0

Description The issue concerns the hhvm-attach deep link handler in Nuclide, which did not properly sanitize the provided hostname parameter when rendering. This could allow a malicious URL to render HTML and other content inside the editor's context, potentially leading to code execution.

Recommendations For Nuclide versions prior to 0.290.0, update to version 0.290.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the hhvm-attach deep link handler until the update is applied.