Exploit
CVE-2022-36010

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (CWE-95)

Published: Aug 15, 2022 / Updated: 27mo ago

010
CVSS 9.8EPSS 0.17%Critical
CVE info copied to clipboard

This library allows strings to be parsed as functions and stored as a specialized component, [`JsonFunctionValue`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/components/JsonFunctionValue.js). To do this, Javascript's [`eval`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) function is used to execute strings that begin with "function" as Javascript. This unfortunately could allow arbitrary code to be executed if it exists as a value within the JSON structure being displayed. Given that this component may often be used to display data from arbitrary, untrusted sources, this is extremely dangerous. One important note is that users who have defined a custom [`onSubmitValueParser`](https://github.com/oxyno-zeta/react-editable-json-tree/tree/09a0ca97835b0834ad054563e2fddc6f22bc5d8c#onsubmitvalueparser) callback prop on the [`JsonTree`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/JsonTree.js) component should be ***unaffected***. This vulnerability exists in the default `onSubmitValueParser` prop which calls [`parse`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/master/src/utils/parse.js#L30). Prop is added to `JsonTree` called `allowFunctionEvaluation`. This prop will be set to `true` in v2.2.2, which allows upgrade without losing backwards-compatibility. In v2.2.2, we switched from using `eval` to using [`Function`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) to construct anonymous functions. This is better than `eval` for the following reasons: - Arbitrary code should not be able to execute immediately, since the `Function` constructor explicitly *only creates* anonymous functions - Functions are created without local closures, so they only have access to the global scope If you use: - **Version ` =3.0.0`**, `allowFunctionEvaluation` is already set to `false` by default, so no further steps are necessary.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2022-36010. See article

Aug 15, 2022 at 7:20 PM / twitter.com
Threat Intelligence Report

The vulnerability CVE-2022-36010 in the Node.js react-editable-json-tree module allows remote attackers to execute arbitrary code on the affected system. With a CVSS score of 9.8, this critical vulnerability is actively being exploited in the wild by threat actors. There are currently no patches available, and organizations are advised to implement network-level controls to mitigate the risk of exploitation. See article

Aug 21, 2022 at 5:22 PM
EPSS

EPSS Score was set to: 0.17% (Percentile: 53.2%)

Sep 15, 2023 at 3:03 PM
Static CVE Timeline Graph

Affected Systems

React_editable_json_tree_project/react_editable_json_tree
+null more

Exploits

https://github.com/oxyno-zeta/react-editable-json-tree/security/advisories/GHSA-j3rv-w43q-f9x2
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-35: Leverage Executable Code in Non-Executable Files
+null more

Vendor Advisory

React Editable Json Tree vulnerable to arbitrary code execution via function parsing
Version ^2.2.2, you must explicitly set JsonTree's allowFunctionEvaluation prop to false to fully mitigate this vulnerability. Package Information

References

Rewterz Threat Advisory – CVE-2022-36010 – Node.js react-editable-json-tree module Vulnerability
Node.js react-editable-json-tree module could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the eval function parsing. The post Rewterz Threat Advisory – CVE-2022-36010 – Node.js react-editable-json-tree module Vulnerability first appeared on Rewterz .

News

Rewterz Threat Advisory – CVE-2022-36010 – Node.js react-editable-json-tree module Vulnerability
Node.js react-editable-json-tree module could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the eval function parsing. The post Rewterz Threat Advisory – CVE-2022-36010 – Node.js react-editable-json-tree module Vulnerability first appeared on Rewterz .
React Editable Json Tree vulnerable to arbitrary code execution via function parsing
Version ^2.2.2, you must explicitly set JsonTree's allowFunctionEvaluation prop to false to fully mitigate this vulnerability. Package Information
CVE-2022-36010 | oxyno-zeta react-editable-json-tree prior 2.2.2 neutralization of directives (GHSA-j3rv-w43q-f9x2)
A vulnerability was found in oxyno-zeta react-editable-json-tree. It has been classified as problematic. Affected is an unknown function. The manipulation leads to improper neutralization of directives in dynamically evaluated code ('eval injection'). This vulnerability is traded as CVE-2022-36010 . It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.
Node.js react-editable-json-tree module code execution | CVE-2022-36010
Node.js react-editable-json-tree module could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the eval function parsing. Node.js react-editable-json-tree module code execution
Critical - CVE-2022-36010 - This library allows strings to be parsed as...
This library allows strings to be parsed as functions and stored as a specialized component,...
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI