SYM_JSTS_0103 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
Using require() with a variable (non-literal) argument can let attackers control which files or modules your code loads at runtime. This makes it possible for untrusted input to determine what code is executed.
Impact
If exploited, an attacker could load and execute malicious code or access sensitive files on the server, potentially leading to data theft, system compromise, or further attacks against your application and its users.