Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User input is being passed directly into _xxsubinterpreters.run_string(), which executes the input as Python code. This allows attackers to inject and run arbitrary code on the server.
Impact#
If exploited, an attacker could execute any Python commands with the application’s privileges, leading to data theft, system compromise, or complete server takeover. This could result in loss of sensitive data, service disruption, or further attacks on your infrastructure.