Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User input is being passed directly to the eval() function, allowing attackers to inject and execute arbitrary code. This is highly unsafe, as it gives external users control over what code runs on the server.
Impact#
If exploited, an attacker could run malicious Python code on your server, steal sensitive data, modify or delete application data, or take full control of the system. This can lead to data breaches, service disruption, and complete compromise of your application and infrastructure.