Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-95 (动态执行代码中指令转义处理不恰当(Eval注入)) — Vulnerability Class 106

106 vulnerabilities classified as CWE-95 (动态执行代码中指令转义处理不恰当(Eval注入)). AI Chinese analysis included.

CWE-95 represents a critical code injection vulnerability where software fails to properly sanitize user-supplied input before passing it to a dynamic evaluation function, such as JavaScript’s eval(). Attackers typically exploit this weakness by injecting malicious code snippets into the input stream, which the application then executes with the privileges of the running process. This can lead to complete system compromise, data exfiltration, or unauthorized administrative actions. To mitigate this risk, developers must strictly avoid using dynamic code execution functions whenever possible, opting instead for safer alternatives like JSON parsing or predefined function mappings. When dynamic evaluation is unavoidable, rigorous input validation and strict whitelisting of allowed characters are essential to ensure that only safe, expected data structures are processed, thereby neutralizing potential injection vectors before they reach the interpreter.

MITRE CWE Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Common Consequences (5)
ConfidentialityRead Files or Directories, Read Application Data
The injected code could access restricted data / files.
Access ControlBypass Protection Mechanism
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Access ControlGain Privileges or Assume Identity
Injected code can access resources that the attacker is directly prevented from accessing.
Integrity, Confidentiality, Availability, OtherExecute Unauthorized Code or Commands
Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code or at least modify what code can be executed.
Non-RepudiationHide Activities
Often the actions performed by injected control code are unlogged.
Mitigations (4)
Architecture and Design, ImplementationIf possible, refactor your code so that it does not need to use eval() at all.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalizat…
ImplementationFor Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
Effectiveness: Discouraged Common Practice
Examples (2)
edit-config.pl: This CGI script is used to modify settings in a configuration file.
use CGI qw(:standard); sub config_file_add_key { my ($fname, $key, $arg) = @_; # code to add a field/key to a file goes here } sub config_file_set_key { my ($fname, $key, $arg) = @_; # code to set key to a particular file goes here } sub config_file_delete_key { my ($fname, $key, $arg) = @_; # code to delete key from a particular file goes here } sub handleConfigAction { my ($fname, $action) = @_; my $key = param('key'); my $val = param('val'); # this is super-efficient code, especially if you have to invoke # any one of dozens of different functions! my $code = "config_file_$action_key(\$fnam
Bad · Perl
add_key(",","); system("/bin/ls");
Attack
This simple python3 script asks a user to supply a comma-separated list of numbers as input and adds them together.
def main(): sum = 0 try: numbers = eval(input("Enter a comma-separated list of numbers: ")) except SyntaxError: print("Error: invalid input") return for num in numbers: sum = sum + num print(f"Sum of {numbers} = {sum}") main()
Bad · Python
__import__('subprocess').getoutput('rm -r *')
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2024-37901 XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet — xwiki-platform 10.0 Critical2024-07-31
CVE-2024-36404 GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions — geotools 9.8 Critical2024-07-02
CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver — geoserver 9.8 Critical2024-07-01
CVE-2024-3562 Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) PHP Code Injection via Loop Custom Field — Custom Field Suite 8.8 High2024-06-20
CVE-2024-32649 vyper performs double eval of the argument of sqrt — vyper 5.3 Medium2024-04-25
CVE-2024-32647 vyper performs double eval of raw_args in create_from_blueprint — vyper 5.3 Medium2024-04-25
CVE-2024-31996 XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution — xwiki-commons 10.0 Critical2024-04-10
CVE-2024-31984 XWiki Platform: Remote code execution through space title and Solr space facet — xwiki-platform 10.0 Critical2024-04-10
CVE-2024-31982 XWiki Platform: Remote code execution as guest via DatabaseSearch — xwiki-platform 10.0 Critical2024-04-10
CVE-2024-31465 XWiki Platform: Remote code execution from account via SearchSuggestSourceSheet — xwiki-platform 10.0 Critical2024-04-10
CVE-2023-7245 OpenVPN Connect 安全漏洞 — OpenVPN Connect 7.8AIHighAI2024-02-20
CVE-2023-6735 Privilege escalation in mk_tsm — Checkmk 8.8 High2024-01-12
CVE-2024-21650 XWiki Remote Code Execution vulnerability via user registration — xwiki-platform 10.0 Critical2024-01-08
CVE-2023-7224 OpenVPN Connect 安全漏洞 — OpenVPN Connect 7.8AIHighAI2024-01-08
CVE-2023-7101 Arbitrary Code Execution (ACE) Vulnerability — Spreadsheet::ParseExcel 7.8 -2023-12-24
CVE-2023-50723 XWiki Platform remote code execution/programming rights with configuration section from any user account — xwiki-platform 10.0 Critical2023-12-15
CVE-2023-50721 XWiki Platform RCE from account through SearchAdmin — xwiki-platform 10.0 Critical2023-12-15
CVE-2023-48699 fastbots Eval Injection vulnerability — fastbots 8.4 High2023-11-21
CVE-2023-37909 Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheet — xwiki-platform 10.0 Critical2023-10-25
CVE-2023-40177 XWiki Platform privilege escalation (PR) from account through AWM content fields — xwiki-platform 9.9 Critical2023-08-23
CVE-2023-35152 XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTableResults — xwiki-platform 10.0 Critical2023-06-23
CVE-2023-35150 XWiki Platform vulnerable to privilege escalation (PR) from view right via Invitation application — xwiki-platform 9.9 Critical2023-06-23
CVE-2023-29511 xwiki-platform-administration-ui vulnerable to privilege escalation — xwiki-platform 9.9 Critical2023-04-16
CVE-2023-30537 org.xwiki.platform:xwiki-platform-flamingo-theme-ui vulnerable to privilege escalation — xwiki-platform 9.9 Critical2023-04-16
CVE-2023-29509 org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability — xwiki-platform 10.0 Critical2023-04-16
CVE-2023-29214 org.xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability — xwiki-platform 10.0 Critical2023-04-16
CVE-2023-29212 xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability — xwiki-platform 10.0 Critical2023-04-16
CVE-2023-29211 org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability — xwiki-platform 10.0 Critical2023-04-16
CVE-2023-29210 org.xwiki.platform:xwiki-platform-notifications-ui Eval Injection vulnerability — xwiki-platform 10.0 Critical2023-04-15
CVE-2023-29209 org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro Eval Injection vulnerability — xwiki-platform 10.0 Critical2023-04-15

Vulnerabilities classified as CWE-95 (动态执行代码中指令转义处理不恰当(Eval注入)) represent 106 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.