AI Security Review
scanned 4h ago · by lpm-firewall-aiRendering the Lottie component with an attacker-controlled animation URL fetches JSON at runtime. Lottie expressions are enabled by default and the bundled renderer evaluates expression text from that JSON.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
A consumer configures and renders Lottie with a malicious `animationUrl`.
Impact
JavaScript can execute in the consuming page's origin and access data available to that page.
Mechanism
Remote animation JSON expression evaluation via `eval`.
Rationale
The package contains a concrete remote-data-to-`eval` chain in its public Lottie component. No install-time malware or unrelated exfiltration behavior was found, so it warrants a warning rather than a publication block.
Evidence
package.jsondist/site/components/Lottie/component.jsdist/site/components/Lottie/manifest.jsdist/site/components/chunks/Tooltip.js
Decision evidence
public snapshotAI called this Suspicious at 94.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `dist/site/components/Lottie/component.js` fetches caller-configured `animationUrl` and parses it as JSON.
- The same Lottie bundle enables expressions by default and evaluates animation field `data.x` with `eval`.
- `dist/site/components/Lottie/manifest.js` declares `animationUrl` as a web URL, forming a remote-data-to-eval runtime path.
Evidence against
- `package.json` has no preinstall, install, postinstall, prepare, or other lifecycle hook.
- No child-process, filesystem-harvesting, credential-exfiltration, or persistence behavior was found in reviewed runtime files.
- Direct scan of `dist/site/components/chunks/Tooltip.js` found no non-ASCII/Trojan Source characters.
Behavioral surface
ChildProcessEnvironmentVarsEvalNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/site/components/Lottie/component.jsView file
13712var scoped_bm_rt;
L13713: var expression_function = eval("[function _expression_function(){" + val + ";scoped_bm_rt=$bm_rt}]")[0];
L13714: var numKeys = property.kf ? data.k.length : 0;
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/site/components/Lottie/component.jsView on unpkg · L13712dist/site/components/chunks/Tooltip.jsView file
7191contains invisible/control Unicode U+2066 (left-to-right isolate)
text: "<U+2066>",
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/site/components/chunks/Tooltip.jsView on unpkg · L7191dist/site/components/chunks/constants3.jsView file
61patternName = generic_password
severity = medium
line = 61
matchedText = password...rd",
Medium
Secret Pattern
Hardcoded password in dist/site/components/chunks/constants3.js
dist/site/components/chunks/constants3.jsView on unpkg · L61Findings
1 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/site/components/chunks/Tooltip.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/site/components/chunks/constants3.js
LowScripts Present
LowEvaldist/site/components/Lottie/component.js
LowHigh Entropy Strings
LowUrl Strings