Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User-controlled input from environment variables or command-line arguments is being passed directly to run_in_subinterp, allowing untrusted code to be executed. This makes it possible for attackers to inject and run arbitrary Python code within a subprocess.
Impact#
If exploited, an attacker could execute malicious Python code on the server, potentially leading to data theft, system compromise, or a complete takeover of the application. This could result in loss of sensitive data, disruption of services, and significant security breaches.