CVE-2022-36010

Name of the Vulnerable Software and Affected Versions react-editable-json-tree versions <2.2.2 react-editable-json-tree version 2.2.2 and later with allowFunctionEvaluation prop set to true react-editable-json-tree versions prior to 3.0.0 with allowFunctionEvaluation prop set to true

Description The library allows strings to be parsed as functions and stored as a specialized component, JsonFunctionValue. This is done using Javascript's eval function to execute strings that begin with "function" as Javascript, which can allow arbitrary code to be executed if it exists as a value within the JSON structure being displayed. Given that this component may often be used to display data from arbitrary, untrusted sources, this is extremely dangerous. Users who have defined a custom onSubmitValueParser callback prop on the JsonTree component should be unaffected.

In version 2.2.2, the library switched from using eval to using Function to construct anonymous functions, which is better for security reasons: arbitrary code should not be able to execute immediately, and functions are created without local closures, so they only have access to the global scope.