平台
javascript
组件
@dioxuslabs/components
修复版本
41.0.1
CVE-2026-24474 describes a Remote Code Execution (RCE) vulnerability discovered in the Dioxus Components JavaScript library. This vulnerability allows an attacker to inject and execute arbitrary code by manipulating the id parameter within the useanimatedopen function, which improperly formats a string for eval. The vulnerability affects versions of Dioxus Components prior to 41e4242ecb1062d04ae42a5215363c1d9fd4e23a. A patch has been released to address this issue.
The impact of CVE-2026-24474 is severe, enabling an attacker to achieve Remote Code Execution (RCE) on systems utilizing vulnerable Dioxus Components. This means an attacker could potentially gain complete control over the affected application and its underlying infrastructure. Successful exploitation could lead to data breaches, system compromise, and further lateral movement within a network. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including installing malware, stealing sensitive data, and disrupting services. This vulnerability shares similarities with other eval-based injection flaws, where user-supplied input is directly incorporated into code execution, bypassing security controls.
CVE-2026-24474 was publicly disclosed on 2026-01-23. The vulnerability is not currently listed on CISA KEV, and an EPSS score is pending evaluation. No public proof-of-concept (PoC) exploits have been publicly released at the time of writing, but the nature of the vulnerability (RCE via eval) suggests a high likelihood of PoCs emerging. Active exploitation campaigns are not currently confirmed.
Applications built using the Dioxus app framework and utilizing the Dioxus Components library are at risk. This includes projects that rely on user-supplied input to configure or control components within the application. Developers who have not implemented robust input validation and sanitization practices are particularly vulnerable.
• javascript / web: Inspect application code for usage of useanimatedopen with user-supplied id parameters. Look for any instances where the id is directly used in eval without proper sanitization.
• generic web: Monitor web server access logs for unusual requests targeting endpoints that utilize Dioxus Components, particularly those involving the useanimatedopen function.
• wordpress / composer / npm: Run npm audit or yarn audit to identify dependencies with known vulnerabilities, including Dioxus Components. Check package.json for Dioxus Components and its version.
disclosure
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
The primary mitigation for CVE-2026-24474 is to immediately upgrade to version 41e4242ecb1062d04ae42a5215363c1d9fd4e23a or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the id parameter passed to the useanimatedopen function to prevent malicious code injection. While a direct workaround is difficult without modifying the library, strict input validation can reduce the attack surface. Review your application's code for any instances where user-supplied data is used in eval calls and implement robust security measures. After upgrading, confirm the fix by attempting to trigger the vulnerable function with a malicious id parameter; it should now be properly sanitized.
将 Dioxus Components 库更新到包含 commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a 或更高版本的版本。这修复了 JavaScript 注入漏洞。请务必在更新后测试应用程序,以验证是否存在任何兼容性问题。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-24474 is a Remote Code Execution vulnerability in the Dioxus Components JavaScript library, allowing attackers to execute arbitrary code through improper handling of the id parameter.
You are affected if your application uses Dioxus Components versions prior to 41e4242ecb1062d04ae42a5215363c1d9fd4e23a and does not have adequate input validation in place.
Upgrade to version 41e4242ecb1062d04ae42a5215363c1d9fd4e23a or later. Implement input validation on the id parameter if immediate upgrade is not possible.
Active exploitation campaigns are not currently confirmed, but the vulnerability's nature suggests a high likelihood of exploitation.
Refer to the Dioxus Components repository and related documentation for the official advisory and release notes.