Use of Incorrectly-Resolved Name or Reference
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-706: Use of Incorrectly-Resolved Name or Reference |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
If user input (such as query parameters, request body, or headers) is passed directly to require(), an attacker could control which code modules are loaded at runtime. This makes it possible to execute unintended or malicious code on the server.
Impact#
Exploiting this vulnerability could let an attacker load arbitrary files or code, potentially leading to data theft, server compromise, or full control over your application’s behavior. This can result in data breaches, service disruption, or further attacks on your infrastructure.