SYM_JSTS_0134 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Control of Generation of Code ('Code Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Untrusted user input is being passed directly into the 'sandbox' context of vm2 or NodeVM. This allows users to control the execution environment, which can lead to code injection vulnerabilities.
Impact
An attacker could manipulate the sandbox environment to execute arbitrary code, potentially escaping the sandbox, accessing sensitive data, or taking control of the server. This puts your application and its users at serious risk of data breaches or server compromise.