CVE-2022-36010 is a medium-severity vulnerability in the open-source JavaScript library react-editable-json-tree, maintained by oxyno-zeta. This library allows users to display and edit JSON data structures in React applications, including the ability to parse strings as executable JavaScript functions via a specialized component called JsonFunctionValue. The vulnerability arises from the use of JavaScript's eval function (in versions prior to 2.2.2) to dynamically evaluate strings that begin with "function" as JavaScript code. This improper neutralization of directives in dynamically evaluated code (CWE-95) enables an attacker to inject and execute arbitrary JavaScript code if such malicious code is present within the JSON data being rendered. Since this component is often used to display data from untrusted or arbitrary sources, the risk of code injection is significant. The vulnerability is specifically tied to the default onSubmitValueParser prop of the JsonTree component, which calls a parse function that uses eval. Users who have implemented a custom onSubmitValueParser callback are not affected. The maintainers addressed this issue starting in version 2.2.2 by replacing eval with the Function constructor, which only creates anonymous functions without local closures and limits scope to the global context, reducing immediate arbitrary code execution risk. However, to fully mitigate the vulnerability in versions 2.2.2 and above, the allowFunctionEvaluation prop must be explicitly set to false. From version 3.0.0 onwards, allowFunctionEvaluation defaults to false, providing out-of-the-box protection. In summary, the vulnerability allows remote attackers to execute arbitrary JavaScript code in the context of the affected application if they can supply malicious JSON data containing function strings. This can lead to cross-site scripting (XSS) or other code injection attacks, compromising confidentiality, integrity, and availability of the affected web applications.

For European organizations, the impact of CVE-2022-36010 can be significant, especially for those relying on react-editable-json-tree in web applications that process or display JSON data from untrusted sources. Successful exploitation could allow attackers to execute arbitrary JavaScript code within the victim's browser context, leading to theft of sensitive information such as authentication tokens, session cookies, or personal data, violating GDPR and other data protection regulations. It could also enable attackers to manipulate the user interface, perform unauthorized actions on behalf of users, or deliver further malware payloads. Industries such as finance, healthcare, government, and critical infrastructure that use React-based dashboards or data visualization tools incorporating this library are at higher risk. The vulnerability could be exploited to target internal applications or customer-facing portals, potentially resulting in data breaches, reputational damage, regulatory fines, and operational disruptions. Given the ease of injecting malicious JSON data in some scenarios (e.g., user-generated content, third-party integrations), the attack surface is non-trivial. While no known exploits are reported in the wild, the widespread use of React and the increasing adoption of JSON-editing components in European digital services underscore the importance of addressing this vulnerability promptly to prevent exploitation.

1. Immediate Upgrade: Organizations using react-editable-json-tree versions earlier than 2.2.2 should upgrade to version 3.0.0 or later where allowFunctionEvaluation defaults to false. 2. Configuration Hardening: For applications that must use versions between 2.2.2 and 3.0.0, explicitly set the allowFunctionEvaluation prop to false on the JsonTree component to disable function evaluation. 3. Custom Parser Usage: If feasible, implement a custom onSubmitValueParser callback that does not rely on eval or Function constructors to parse JSON values. 4. Input Validation and Sanitization: Enforce strict validation and sanitization of JSON data inputs, especially those originating from untrusted or external sources, to prevent injection of malicious function strings. 5. Content Security Policy (CSP): Deploy a robust CSP that restricts the execution of inline scripts and limits the sources of executable code to reduce the impact of potential code injection. 6. Security Testing: Incorporate static and dynamic application security testing (SAST/DAST) focused on client-side code evaluation to detect unsafe usage of eval or Function. 7. Monitoring and Incident Response: Monitor application logs and user activity for anomalous behavior indicative of exploitation attempts and prepare incident response plans accordingly. These measures collectively reduce the risk of exploitation and help maintain compliance with European data protection standards.