React Developer Tools Flaw Let Attackers Launch a DDoS Attack

React Developer Tools is an essential tool for developers as it allows them to effectively inspect React components, modify the properties and state of these components, and pinpoint any performance issues. 

With this tool, developers can easily optimize the performance of their React applications, ensuring a smooth and efficient user experience.


React Developer Tools were found to have a vulnerability by Calum Hutton. The flaw is in the validation process of the URL that is retrieved by the browser. This means that there is a potential for security breaches through this loophole.

If you are using React Developer Tools version 4.27.8, be aware that a flaw has been identified. However, the good news is that the issue has been resolved with the latest version, 4.28.4. It is highly recommended to update to the latest version to ensure that your system is free from vulnerabilities.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Arbitrary URL Fetch via Malicious Web Page

The React Developer Tools extension registers a message listener in a content script accessible by a webpage active in the browser.

When the listener code requests the URL derived from the received message, the URL is not validated, which allows a malicious web page to fetch URLs via the victim’s browser arbitrarily.

“The content of the response is not returned to the malicious webpage, the impact of this issue is limited, i.e, sensitive resources available only to the victim cannot be retrieved,” reads the technical report.

One of the vulnerabilities that attackers can exploit involves generating ad clicks, enabling attackers to generate revenue. The same technique can also be combined with other browsers to launch a distributed denial-of-service (DDoS) attack without the knowledge or consent of the victim.

Proof-of-concept has been published, explaining how a crafted message triggers the above switch statement when clicking a button.

“In reality, it’s likely that the malicious web page would automatically send messages to the extension without the need for user interaction,” says Calum Hutton.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.