SYM_JSTS_0130 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Control of Generation of Code ('Code Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
User-supplied input is passed directly to the toFastProperties function from Bluebird, which internally uses eval(). This allows execution of arbitrary code if the input is not properly validated or sanitized.
Impact
If exploited, an attacker could run malicious code on your server, potentially gaining unauthorized access, stealing sensitive data, or taking control of the application. This kind of vulnerability can lead to complete system compromise and data breaches.