"A fix is available, but development teams must move fast, JFrog researchers warned in a blog post. Weak development server defaults The vulnerability arises because the Metro development server, which started using the CLI tool, exposes a "/open-url" HTTP endpoint that takes a URL parameter from a POST request and passes it directly to the "open()" function in the open NPM package. On Windows, this can spawn an "smd /c.." call, enabling arbitrary command execution."
"Adding to the problem is a misconfiguration in the CLI, which prints that the server is listening on "localhost", but under the hood, the host values end up undefined, and the server listens on 0.0.0.0 by default, opening it to all external networks."
Metro's development server exposes a /open-url HTTP endpoint that accepts a URL parameter from a POST request and passes it directly to the open() function in the open NPM package. On Windows, that flow can spawn an smd /c.. call, enabling arbitrary command execution. A CLI misconfiguration reports the server as listening on "localhost" while leaving host values undefined, causing the server to bind to 0.0.0.0 and accept external connections. A fix is available; development teams must update quickly to prevent remote exploitation and unauthorized command execution against exposed development servers.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]