React Editable Json Tree vulnerable to arbitrary code execution via function parsing

Severity:: High

Description

Our library allows strings to be parsed as functions and stored as a specialized component, JsonFunctionValue. To do this, Javascript’s eval function was used to execute strings that begin with “function” as Javascript.

Recommendation

Update the react-editable-json-tree package to the latest compatible version. Followings are version details:

Affected version(s): < 2.2.2
Patched version(s): 2.2.2

References

GHSA-j3rv-w43q-f9x2
CVE-2022-36010
CWE-95
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Joplin is vulnerable to arbitrary code execution - CVE-2022-35131
react-dev-utils on Windows vulnerable to Remote Code Execution - CVE-2018-6342
Nuxt vulnerable to remote code execution via the browser when running the test locally - CVE-2024-34344
Lightning Flow Scanner Vulnerable to Code Injection via Unsafe Use of `new Function()` in APIVersion Rule - CVE-2025-67750

Tags:: npm; react-editable-json-tree

Anything's wrong? Let us know Last updated on January 30, 2023