SYM_PY_0048 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Directly assigning arbitrary values to a class's annotations attribute can be unsafe, especially if those values are later used with typing.get_type_hints, which evaluates them in the global and local namespaces. This could allow unexpected or malicious code execution if the annotation values are not strictly controlled.
Impact
If an attacker can influence the values assigned to annotations, they could inject code that gets executed when typing.get_type_hints is called. This could lead to code execution vulnerabilities, data leaks, or compromise of the application's environment.