Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
This code passes data from environment variables or command-line arguments directly into Python’s InteractiveConsole or InteractiveInterpreter. If user-controlled input reaches these functions, attackers could execute arbitrary Python code within your application.
Impact#
Exploiting this vulnerability allows attackers to run any Python code on your server, potentially leading to data theft, system compromise, or a complete takeover of your application environment. This can result in loss of sensitive information, service disruption, or further attacks against your infrastructure.