CVE-2024-23347

HIGH
Published Jan 16, 2024 Modified Jun 20, 2025

Description

Prior to v176, when opening a new project Meta Spark Studio would execute scripts defined inside of a package.json file included as part of that project. Those scripts would have the ability to execute arbitrary code on the system as the application.

CVSS v3.1 Score

7.8
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

Vendor Product
facebook meta_spark_studio

References

Frequently Asked Questions

What is CVE-2024-23347? +
Prior to v176, when opening a new project Meta Spark Studio would execute scripts defined inside of a package.json file included as part of that project. Those scripts would have the ability to execute arbitrary code on the system as the application. It has a CVSS v3.1 base score of 7.8 (HIGH).
How severe is CVE-2024-23347? +
CVE-2024-23347 has a CVSS v3.1 score of 7.8 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.
What products are affected by CVE-2024-23347? +
CVE-2024-23347 affects products from facebook, specifically: meta_spark_studio. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2024-23347? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-55182 10.0

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following …
CVE-2025-55184 7.5

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, …
CVE-2025-67779 7.5

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial …
CVE-2025-27591 6.8

A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory …
CVE-2025-55181 5.3

Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSession which blocks the backing …
CVE-2025-55183 5.3

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2024-23347 — free, no signup required.

Start Free Scan