SYM_JSTS_0126 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Control of Generation of Code ('Code Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
Using the Node.js 'vm' module to execute code that includes user input is unsafe, as it allows attackers to inject and run arbitrary JavaScript. This occurs when untrusted data is passed to 'vm' functions like runInContext or compileFunction.
Impact
If exploited, an attacker could execute malicious code on your server, potentially accessing sensitive data, modifying application behavior, or compromising the entire system. This can lead to data breaches, service disruption, and further attacks within your environment.