Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
Using the Node.js ‘vm’ module to execute code that includes user input is unsafe, as it allows attackers to inject and run arbitrary JavaScript. This occurs when untrusted data is passed to ‘vm’ functions like runInContext or compileFunction.
Impact#
If exploited, an attacker could execute malicious code on your server, potentially accessing sensitive data, modifying application behavior, or compromising the entire system. This can lead to data breaches, service disruption, and further attacks within your environment.