Phanabani

**Name of the Vulnerable Software and Affected Versions** react-editable-json-tree versions <2.2.2 react-editable-json-tree version 2.2.2 and later with allowFunctionEvaluation prop set to true react-editable-json-tree versions prior to 3.0.0 with allowFunctionEvaluation prop set to true **Description** The library allows strings to be parsed as functions and stored as a specialized component, `JsonFunctionValue`. This is done using Javascript's `eval` function to execute strings that begin with "function" as Javascript, which can allow arbitrary code to be executed if it exists as a value within the JSON structure being displayed. Given that this component may often be used to display data from arbitrary, untrusted sources, this is extremely dangerous. Users who have defined a custom `onSubmitValueParser` callback prop on the `JsonTree` component should be unaffected. In version 2.2.2, the library switched from using `eval` to using `Function` to construct anonymous functions, which is better for security reasons: arbitrary code should not be able to execute immediately, and functions are created without local closures, so they only have access to the global scope. **Recommendations** - For versions <2.2.2, upgrade to version 2.2.2 or later as soon as possible. - For version 2.2.2 and later with allowFunctionEvaluation prop set to true, explicitly set `JsonTree`'s `allowFunctionEvaluation` prop to `false` to fully mitigate this vulnerability. - For versions >=3.0.0, no further steps are necessary since `allowFunctionEvaluation` is already set to `false` by default.