CVE-2022-36010 in react-editable-json-tree
Summary
by MITRE • 08/15/2022
This library allows strings to be parsed as functions and stored as a specialized component, [`JsonFunctionValue`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/components/JsonFunctionValue.js). To do this, Javascript's [`eval`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) function is used to execute strings that begin with "function" as Javascript. This unfortunately could allow arbitrary code to be executed if it exists as a value within the JSON structure being displayed. Given that this component may often be used to display data from arbitrary, untrusted sources, this is extremely dangerous. One important note is that users who have defined a custom [`onSubmitValueParser`](https://github.com/oxyno-zeta/react-editable-json-tree/tree/09a0ca97835b0834ad054563e2fddc6f22bc5d8c#onsubmitvalueparser) callback prop on the [`JsonTree`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/JsonTree.js) component should be ***unaffected***. This vulnerability exists in the default `onSubmitValueParser` prop which calls [`parse`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/master/src/utils/parse.js#L30). Prop is added to `JsonTree` called `allowFunctionEvaluation`. This prop will be set to `true` in v2.2.2, which allows upgrade without losing backwards-compatibility. In v2.2.2, we switched from using `eval` to using [`Function`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) to construct anonymous functions. This is better than `eval` for the following reasons: - Arbitrary code should not be able to execute immediately, since the `Function` constructor explicitly *only creates* anonymous functions - Functions are created without local closures, so they only have access to the global scope If you use: - **Version `<2.2.2`**, you must upgrade as soon as possible. - **Version `^2.2.2`**, you must explicitly set `JsonTree`'s `allowFunctionEvaluation` prop to `false` to fully mitigate this vulnerability. - **Version `>=3.0.0`**, `allowFunctionEvaluation` is already set to `false` by default, so no further steps are necessary.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/17/2022
This vulnerability exists within the react-editable-json-tree library where a specialized component named JsonFunctionValue processes strings that begin with "function" by executing them as JavaScript code through the use of JavaScript's eval function. The flaw represents a critical security risk because it allows arbitrary code execution when JSON data containing such strings is displayed within the component. The vulnerability is particularly dangerous because the component is commonly used to display data from untrusted sources, creating an environment where malicious actors could inject harmful code into the JSON structure that would then be executed when parsed by the vulnerable library. This type of vulnerability falls under CWE-94, which describes the execution of arbitrary code, and aligns with ATT&CK technique T1059.007 for command and scripting interpreter.
The technical implementation of this vulnerability stems from the library's default onSubmitValueParser function which calls a parse utility that directly invokes eval on strings beginning with "function". This approach bypasses normal JavaScript security boundaries and allows attackers to execute malicious code within the context where the library is used. The risk is amplified because the library is designed for editable JSON trees, meaning it's intended to process user input or external data sources, making it a prime target for injection attacks. The eval function creates a direct pathway for code execution without proper sanitization or validation of the input strings, creating an attack surface that can be exploited by any user who can control the JSON data being parsed.
The operational impact of this vulnerability extends beyond simple code execution to potentially compromise entire applications or systems where the library is integrated. Attackers could leverage this vulnerability to perform actions such as data exfiltration, privilege escalation, or even complete system compromise depending on the execution environment. The risk is particularly severe in web applications where the library might be used to display user-generated content or data from external APIs. Users who have implemented custom onSubmitValueParser callback functions are unaffected by this vulnerability since they bypass the default implementation that uses eval. However, the default behavior represents a significant security risk that requires immediate attention from developers using affected versions of the library.
The remediation strategy for this vulnerability involves multiple approaches based on version compatibility and security requirements. For versions prior to 2.2.2, upgrading is mandatory as these versions contain the vulnerable eval implementation that creates immediate execution risks. Version 2.2.2 introduced a significant improvement by switching from eval to the Function constructor, which creates anonymous functions without local closures and limits access to global scope only. This change provides better security boundaries compared to eval, though it still maintains the ability to execute code if explicitly enabled. The introduction of the allowFunctionEvaluation prop allows developers to explicitly control whether function evaluation is permitted, with version 3.0.0 setting this prop to false by default, ensuring that the vulnerability is fully mitigated without requiring additional configuration. Organizations should implement a comprehensive upgrade strategy that includes testing custom implementations against the new security model while ensuring that any necessary function evaluation capabilities are explicitly enabled only when absolutely required.