Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
The code passes user-controlled input—such as environment variables or command-line arguments—directly into _xxsubinterpreters.run_string(), allowing execution of arbitrary Python code. This means an attacker could inject and run their own code within your application.
Impact#
If exploited, an attacker could execute malicious Python commands with the same privileges as your application. This can lead to data theft, unauthorized access, service disruption, or full system compromise, putting sensitive data and systems at significant risk.