-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from the fromJSON function's unsafe handling of user input. The commit diff shows this function used eval() on raw user-controlled strings from JSON input to recreate function objects. As eval() executes any arbitrary code in the input strings, and the function accepted user-controlled rules argument without validation, this creates a code injection vector. Multiple sources (CVE, GHSA, Snyk, and the patch commit) explicitly identify fromJSON as the vulnerable entry point that was removed in the patched version.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| node-rules | npm | >= 3.0.0, < 5.0.0 | 5.0.0 |
JavaScriptJavaScriptOngoing coverage of React2Shell