CVE-2022-36010 – Arbitrary code execution via function parsing in react-editable-json-tree

https://notcve.org/view.php?id=CVE-2022-36010

15 Aug 2022 — This library allows strings to be parsed as functions and stored as a specialized component, [`JsonFunctionValue`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/components/JsonFunctionValue.js). To do this, Javascript's [`eval`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) function is used to execute strings that begin with "function" as Javascript. This unfortunately could allow arbitrary code to be execute... • https://github.com/oxyno-zeta/react-editable-json-tree/releases/tag/2.2.2 • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •