CVE-2021-24033

Name of the Vulnerable Software and Affected Versions: react-dev-utils versions prior to 11.0.4

Description: The issue concerns a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts in Create React App projects, where the usage is safe. However, when this function is manually invoked with user-provided values, there is the potential for command injection. If the function is consumed from react-scripts, this issue does not affect the user.

Recommendations: For react-dev-utils versions prior to 11.0.4, as a temporary workaround, consider avoiding manual invocation of the getProcessForPort function with user-provided values until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.