Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User input is being passed directly to Python’s eval() function, allowing attackers to execute arbitrary code on the server. This is highly insecure because eval() will run any code it receives.
Impact#
If exploited, an attacker could run malicious Python code on your server, potentially leading to data theft, unauthorized access, service disruption, or complete compromise of your application and underlying system.