Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code uses Python’s eval() function, which executes arbitrary code from a string. If any part of the evaluated content can be influenced by user input or external sources, this introduces a major security risk.
Impact#
An attacker could inject malicious code through user-controllable input, leading to remote code execution, data theft, or complete compromise of the server. This can result in data loss, unauthorized access, or full system takeover.