Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User input from web requests (such as query parameters, request bodies, or headers) is being passed to JavaScript’s eval() function. This allows attackers to inject and execute arbitrary code within your application.
Impact#
If exploited, an attacker could run malicious code on your server, potentially leading to data theft, unauthorized system access, or a complete takeover of the application. This poses a serious risk to both user data and the integrity of your system.