SYM_PY_0029 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Using dynamic or external input as code in _xxsubinterpreters.run_string allows untrusted data to be executed as Python code. This makes it possible for attackers to inject and run arbitrary commands if they can control the input.
Impact
If exploited, an attacker could execute malicious Python code on the server, leading to data theft, system compromise, or full control over the application. This can result in severe breaches such as data loss, unauthorized access, or server takeover.