Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User input from HTTP requests is being passed directly to Node.js’s ‘vm’ module functions without validation. This allows attackers to inject and execute arbitrary JavaScript code within your server.
Impact#
If exploited, an attacker could run malicious code with the application’s privileges, potentially accessing sensitive data, modifying server behavior, or taking control of the entire server. This can lead to data breaches, service disruption, or complete system compromise.