Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User-supplied data is being passed directly to Python’s ’eval’ function. This allows attackers to inject and execute arbitrary code on your server if they control the input.
Impact#
If exploited, an attacker could run any Python code on your system, potentially leading to data theft, server takeover, or complete compromise of your application and its underlying infrastructure.