Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User input is being passed directly to Python’s exec() function, allowing attackers to inject and execute arbitrary code. This practice is highly insecure and should be avoided, especially in web applications like those using Flask.
Impact#
If exploited, an attacker could run arbitrary Python code on your server, potentially gaining full control over the system, accessing or modifying sensitive data, and compromising the security of your application and its users.