Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | High |
Description#
User input from web requests is being passed directly to run_in_subinterp, which executes Python code in a new interpreter. This allows attackers to inject and run arbitrary Python code on the server.
Impact#
If exploited, an attacker could execute any Python commands on the server, potentially leading to data theft, data loss, service disruption, or full system compromise. This puts both the application and underlying server at severe risk.