Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Directly assigning arbitrary values to a class’s annotations attribute can be unsafe, especially if those values are later used with typing.get_type_hints, which evaluates them in the global and local namespaces. This could allow unexpected or malicious code execution if the annotation values are not strictly controlled.
Impact#
If an attacker can influence the values assigned to annotations, they could inject code that gets executed when typing.get_type_hints is called. This could lead to code execution vulnerabilities, data leaks, or compromise of the application’s environment.