Property
Language
Severity
CWE	CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

The code uses eval(), which executes code constructed as a string. If any part of this string can be influenced by user input or external sources, attackers may run malicious code within your application.

Impact

Exploiting this issue could allow attackers to execute arbitrary JavaScript in your app, leading to data theft, site defacement, or full system compromise. This can result in loss of user trust, data breaches, and potential legal consequences.

Property
Language
Severity
CWE	CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The code is using functions like eval(), new Function(), setTimeout(), or setInterval() to execute JavaScript code that includes user input from the browser’s URL (such as query parameters or hash). This allows attackers to inject malicious scripts if they can control that input.

Property
Language
Severity
CWE	CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP	A03:2021 - Injection
Confidence Level	High
Impact Level	Medium
Likelihood Level	Medium

Description

User input from web requests (such as query parameters, request bodies, or headers) is being passed to JavaScript’s eval() function. This allows attackers to inject and execute arbitrary code within your application.

Impact

If exploited, an attacker could run malicious code on your server, potentially leading to data theft, unauthorized system access, or a complete takeover of the application. This poses a serious risk to both user data and the integrity of your system.

Property
Language
Severity
CWE	CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Medium

Description

Using require() with a variable (non-literal) argument can let attackers control which files or modules your code loads at runtime. This makes it possible for untrusted input to determine what code is executed.

Impact

If exploited, an attacker could load and execute malicious code or access sensitive files on the server, potentially leading to data theft, system compromise, or further attacks against your application and its users.

Property
Language
Severity
CWE	CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Medium

Description

Using eval() or Function() to execute code from strings can allow attackers to inject and run malicious JavaScript if any part of the input is user-controlled. This practice makes your application vulnerable to code injection.

Impact

If exploited, an attacker could execute arbitrary code on your server or within your application, leading to data theft, service disruption, or further compromise of your system. This could result in loss of sensitive information, unauthorized actions, or complete takeover of the application.

Property
Language
Severity
CWE	CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP	A03:2021 - Injection
Confidence Level	High
Impact Level	Medium
Likelihood Level	Medium

Description

Using user-supplied input (e.g., from $_GET, $_POST, or route parameters) directly in the PHP assert() function is dangerous because it effectively executes arbitrary PHP code from the user. This allows attackers to inject and run malicious code on your server.

Property
Language
Severity
CWE	CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Using assert() with variables that may contain user input is dangerous because assert() will evaluate the input as PHP code. This can allow attackers to execute arbitrary code on your server if they can control the input passed to assert().

Property
Language
Severity
CWE	CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Medium
Impact Level	High
Likelihood Level	High

Description

User input from web requests is being passed directly to run_in_subinterp, which executes Python code in a new interpreter. This allows attackers to inject and run arbitrary Python code on the server.

Impact

If exploited, an attacker could execute any Python commands on the server, potentially leading to data theft, data loss, service disruption, or full system compromise. This puts both the application and underlying server at severe risk.

Property
Language
Severity
CWE	CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Medium
Impact Level	High
Likelihood Level	Medium

Description

User input is being passed directly into _xxsubinterpreters.run_string(), which executes the input as Python code. This allows attackers to inject and run arbitrary code on the server.

Impact

If exploited, an attacker could execute any Python commands with the application’s privileges, leading to data theft, system compromise, or complete server takeover. This could result in loss of sensitive data, service disruption, or further attacks on your infrastructure.

Property
Language
Severity
CWE	CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Medium
Impact Level	High
Likelihood Level	Medium

Description

User-provided input is being passed directly to Python’s InteractiveConsole or InteractiveInterpreter methods, which execute code dynamically. This means attackers could supply malicious code that gets executed by your application.

Impact

If exploited, an attacker could run arbitrary Python commands on your server, potentially gaining full control over the system, accessing sensitive data, altering application behavior, or causing service disruptions.