SYM_RB_0066 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Control of Generation of Code ('Code Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
The code passes user-controlled input—such as values from cookies, parameters, or request environment—directly to Ruby reflection methods like tap, method, or to_proc. This allows attackers to influence how methods are called or executed, making the application vulnerable to code injection.
Impact
If exploited, an attacker could execute arbitrary Ruby code or alter the program's behavior, potentially leading to data theft, unauthorized actions, or full system compromise. This can result in serious breaches of application integrity and confidentiality.