you need proper pentesting around JSON, code execution, API security, XSS.. Mainly Sanitising user input, someone was highly likely possibly slipped thru a malicious code somewhere, you need to prevent them to execute such codes and you must validate user input - if your issue is relative of course.