## Microsoft's 'Company Communicator' App Exposed by Critical 10.0-Severity React Northstar Vulnerability
A critical security flaw with a maximum severity score of 10.0 has been discovered within a Microsoft application's core dependency chain. The vulnerability, CVE-2024-39008, resides in the `react-northstar-0.52.1.tgz` library used by the 'Company Communicator' client application. This is not a theoretical risk; the path to the vulnerable library is explicitly mapped to `/Source/CompanyCommunicator/ClientApp/package.json`, indicating a direct and active integration into a Microsoft product's codebase.

The issue stems from a transitive dependency, `fast-loops-1.1.3.tgz`, bundled within the React Northstar package. The vulnerability is classified as 'Critical' and carries a CVSS score of 10.0, the highest possible, denoting a severe and easily exploitable weakness. Crucially, the report indicates that remediation is currently not possible (`❌`) and no fixed version of `react-northstar` is available (`N/A*`), leaving applications dependent on this library in a state of exposure with no immediate patch.

This finding places direct pressure on Microsoft's internal security and development teams responsible for the 'Company Communicator' and any other services relying on this specific version of React Northstar. The presence of such a high-severity, un-patchable vulnerability in a live enterprise communication tool signals a significant operational security risk. It forces a difficult choice between running vulnerable software or undertaking a potentially complex and disruptive library migration or workaround, with the integrity of the application's supply chain now under intense scrutiny.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, supply-chain, react, microsoft, cve-2024-39008
- **Credibility**: unverified
- **Published**: 2026-04-01 13:27:27
- **ID**: 45414
- **URL**: https://whisperx.ai/en/intel/45414