Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User input from HTTP requests is being passed directly into vm2 for code execution without proper validation or sanitization. This allows untrusted data to influence what code is run inside the virtual machine.
Impact#
If exploited, attackers could execute arbitrary code within the vm2 sandbox, potentially bypassing sandbox restrictions, stealing sensitive data, escalating privileges, or disrupting service. This puts the entire application and its data at risk.