CVE-2026-24474
Code Injection via eval in Dioxus Components' use_animated_open
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dioxuslabs | dioxus_components | to 41e4242ecb1062d04ae42a5215363c1d9fd4e23a (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24474 is a vulnerability in the Rust package dioxus_components where the function use_animated_open formats a string for JavaScript eval using an id that can be supplied by the user without proper validation. This allows an attacker to inject and execute arbitrary JavaScript code, leading to a JavaScript injection vulnerability. The issue was fixed by changing the code to use asynchronous message passing instead of direct string interpolation for eval, preventing unsafe code execution. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of the application using dioxus_components. This could lead to unauthorized actions, data theft, or manipulation of the user interface. Users who provide or handle IDs insecurely are at risk, as malicious input could be executed, potentially compromising application security and user data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unsafe evaluation of user-supplied IDs in the `use_animated_open` function leading to JavaScript injection. Detection can focus on identifying usage of the vulnerable `dioxus_components` package version prior to the patch (commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a). You can scan your codebase or dependencies for this package version. Additionally, monitoring for suspicious JavaScript eval executions or unexpected script injections related to user-supplied IDs in your application logs may help. Specific commands could include searching your code or dependencies for the vulnerable function usage, for example using `grep` or similar tools: `grep -r 'use_animated_open' ./` or checking your package lock files for vulnerable versions. Network detection is limited as this is a code-level vulnerability without a specific network signature. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the `dioxus_components` package to include the patch introduced in commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, which replaces unsafe string formatting for `eval` with asynchronous message passing to safely handle user-supplied IDs. Applying this update prevents JavaScript injection by properly sanitizing or avoiding direct evaluation of user input. Additionally, review your code to avoid passing user-supplied data directly into `eval` or similar functions without validation. [1, 2]