SYM_PY_0056 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
The code passes user-controlled input—such as environment variables or command-line arguments—directly into _xxsubinterpreters.run_string(), allowing execution of arbitrary Python code. This means an attacker could inject and run their own code within your application.
Impact
If exploited, an attacker could execute malicious Python commands with the same privileges as your application. This can lead to data theft, unauthorized access, service disruption, or full system compromise, putting sensitive data and systems at significant risk.