Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
Using require() with a variable (non-literal) argument can let attackers control which files or modules your code loads at runtime. This makes it possible for untrusted input to determine what code is executed.
Impact#
If exploited, an attacker could load and execute malicious code or access sensitive files on the server, potentially leading to data theft, system compromise, or further attacks against your application and its users.