CWE-95 Eval Injection

What this means

SiteShadow flagged code that evaluates untrusted input using an "eval-like" mechanism (direct eval, expression evaluation, dynamic language execution).

Why it matters

Eval injection can lead to arbitrary code execution.

RCE: attackers run code as your service.
Data theft and lateral movement via environment and internal network access.

Safer examples

1) Don't eval user input

# Bad: eval(user_expr)
# Good: parse a known format and validate
n = int(user_input)

2) Use allowlists for supported operations

If you need "expressions," implement a tiny allowlisted parser rather than eval.

3) Isolate high-risk evaluation

If evaluation is unavoidable, sandbox it aggressively and remove access to filesystem/network (still risky).

How SiteShadow detects it (high level)

Detects eval/expression execution APIs and checks whether the evaluated string is user-controlled.
Flags when the evaluation result controls sensitive operations.

References

CWE-95: https://cwe.mitre.org/data/definitions/95.html

---

← Back to Vulnerability Library

Request access View coverage