Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Property
Language
Severity
CWE	CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Medium

Description#

Using eval() or Function() to execute code from strings can allow attackers to inject and run malicious JavaScript if any part of the input is user-controlled. This practice makes your application vulnerable to code injection.

Impact#

If exploited, an attacker could execute arbitrary code on your server or within your application, leading to data theft, service disruption, or further compromise of your system. This could result in loss of sensitive information, unauthorized actions, or complete takeover of the application.

Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Description#

Impact#