Platform
javascript
Component
@dioxuslabs/components
Fixed in
41.0.1
CVE-2026-24474 describes a Remote Code Execution (RCE) vulnerability discovered in the Dioxus Components JavaScript library. This vulnerability allows an attacker to inject and execute arbitrary code by manipulating the id parameter within the useanimatedopen function, which improperly formats a string for eval. The vulnerability affects versions of Dioxus Components prior to 41e4242ecb1062d04ae42a5215363c1d9fd4e23a. A patch has been released to address this issue.
The impact of CVE-2026-24474 is severe, enabling an attacker to achieve Remote Code Execution (RCE) on systems utilizing vulnerable Dioxus Components. This means an attacker could potentially gain complete control over the affected application and its underlying infrastructure. Successful exploitation could lead to data breaches, system compromise, and further lateral movement within a network. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including installing malware, stealing sensitive data, and disrupting services. This vulnerability shares similarities with other eval-based injection flaws, where user-supplied input is directly incorporated into code execution, bypassing security controls.
CVE-2026-24474 was publicly disclosed on 2026-01-23. The vulnerability is not currently listed on CISA KEV, and an EPSS score is pending evaluation. No public proof-of-concept (PoC) exploits have been publicly released at the time of writing, but the nature of the vulnerability (RCE via eval) suggests a high likelihood of PoCs emerging. Active exploitation campaigns are not currently confirmed.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
The primary mitigation for CVE-2026-24474 is to immediately upgrade to version 41e4242ecb1062d04ae42a5215363c1d9fd4e23a or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the id parameter passed to the useanimatedopen function to prevent malicious code injection. While a direct workaround is difficult without modifying the library, strict input validation can reduce the attack surface. Review your application's code for any instances where user-supplied data is used in eval calls and implement robust security measures. After upgrading, confirm the fix by attempting to trigger the vulnerable function with a malicious id parameter; it should now be properly sanitized.
Update the Dioxus Components library to version with commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a or later. This corrects the JavaScript injection vulnerability. Ensure you test the application after the update to verify there are no compatibility issues.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24474 is a Remote Code Execution vulnerability in the Dioxus Components JavaScript library, allowing attackers to execute arbitrary code through improper handling of the id parameter.
You are affected if your application uses Dioxus Components versions prior to 41e4242ecb1062d04ae42a5215363c1d9fd4e23a and does not have adequate input validation in place.
Upgrade to version 41e4242ecb1062d04ae42a5215363c1d9fd4e23a or later. Implement input validation on the id parameter if immediate upgrade is not possible.
Active exploitation campaigns are not currently confirmed, but the vulnerability's nature suggests a high likelihood of exploitation.
Refer to the Dioxus Components repository and related documentation for the official advisory and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.