SYM_JSTS_0137 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Control of Generation of Code ('Code Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Using thenify with the multiArgs option enabled can create situations where untrusted input is passed to eval, allowing attackers to execute arbitrary code. This happens when callbacks or arguments are not properly controlled or sanitized.
Impact
If exploited, an attacker could run malicious code on your server, potentially stealing data, compromising user accounts, or taking control of the system. This can lead to full application compromise, data breaches, and significant damage to your organization.