Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-95 (动态执行代码中指令转义处理不恰当(Eval注入)) — Vulnerability Class 106

106 vulnerabilities classified as CWE-95 (动态执行代码中指令转义处理不恰当(Eval注入)). AI Chinese analysis included.

CWE-95 represents a critical code injection vulnerability where software fails to properly sanitize user-supplied input before passing it to a dynamic evaluation function, such as JavaScript’s eval(). Attackers typically exploit this weakness by injecting malicious code snippets into the input stream, which the application then executes with the privileges of the running process. This can lead to complete system compromise, data exfiltration, or unauthorized administrative actions. To mitigate this risk, developers must strictly avoid using dynamic code execution functions whenever possible, opting instead for safer alternatives like JSON parsing or predefined function mappings. When dynamic evaluation is unavoidable, rigorous input validation and strict whitelisting of allowed characters are essential to ensure that only safe, expected data structures are processed, thereby neutralizing potential injection vectors before they reach the interpreter.

MITRE CWE Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Common Consequences (5)
ConfidentialityRead Files or Directories, Read Application Data
The injected code could access restricted data / files.
Access ControlBypass Protection Mechanism
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Access ControlGain Privileges or Assume Identity
Injected code can access resources that the attacker is directly prevented from accessing.
Integrity, Confidentiality, Availability, OtherExecute Unauthorized Code or Commands
Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code or at least modify what code can be executed.
Non-RepudiationHide Activities
Often the actions performed by injected control code are unlogged.
Mitigations (4)
Architecture and Design, ImplementationIf possible, refactor your code so that it does not need to use eval() at all.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalizat…
ImplementationFor Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
Effectiveness: Discouraged Common Practice
Examples (2)
edit-config.pl: This CGI script is used to modify settings in a configuration file.
use CGI qw(:standard); sub config_file_add_key { my ($fname, $key, $arg) = @_; # code to add a field/key to a file goes here } sub config_file_set_key { my ($fname, $key, $arg) = @_; # code to set key to a particular file goes here } sub config_file_delete_key { my ($fname, $key, $arg) = @_; # code to delete key from a particular file goes here } sub handleConfigAction { my ($fname, $action) = @_; my $key = param('key'); my $val = param('val'); # this is super-efficient code, especially if you have to invoke # any one of dozens of different functions! my $code = "config_file_$action_key(\$fnam
Bad · Perl
add_key(",","); system("/bin/ls");
Attack
This simple python3 script asks a user to supply a comma-separated list of numbers as input and adds them together.
def main(): sum = 0 try: numbers = eval(input("Enter a comma-separated list of numbers: ")) except SyntaxError: print("Error: invalid input") return for num in numbers: sum = sum + num print(f"Sum of {numbers} = {sum}") main()
Bad · Python
__import__('subprocess').getoutput('rm -r *')
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2023-0888 Authenticated eval injection in B. Braun Space Battery pack SP with Wi-Fi — Space Battery Pack SP with Wi-Fi 4.9 Medium2023-03-13
CVE-2023-0090 Proofpoint Enterprise Protection webservices unauthenticated RCE — enterprise_protection 9.8 Critical2023-03-08
CVE-2023-0089 Proofpoint Enterprise Protection webutils authenticated RCE — enterprise_protection 8.8 High2023-03-08
CVE-2023-26477 org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability — xwiki-platform 10.0 Critical2023-03-02
CVE-2022-41928 XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml — xwiki-platform 9.9 Critical2022-11-23
CVE-2022-41931 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in xwiki-platform-icon-ui — xwiki-platform 9.9 Critical2022-11-23
CVE-2022-36100 XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection — xwiki-platform 9.9 Critical2022-09-08
CVE-2022-36099 XWiki Platform Wiki UI Main Wiki Eval Injection vulnerability — xwiki-platform 9.9 Critical2022-09-08
CVE-2022-38193 Code injection issue in Portal for ArcGIS (10.7.1 and 10.8.1) — Portal for ArcGIS 6.1 Medium2022-08-16
CVE-2022-36010 Arbitrary code execution via function parsing in react-editable-json-tree — react-editable-json-tree 10.0 Critical2022-08-15
CVE-2021-33678 SAP NetWeaver AS ABAP 代码注入漏洞 — SAP NetWeaver AS ABAP (Reconciliation Framework) 6.5 -2021-07-14
CVE-2021-23277 Improper Neutralization of Directives in Dynamically Evaluated Code — Intelligent Power manager (IPM) 8.3 High2021-04-13
CVE-2019-9507 The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to arbitrary remote code execution — Avocent UMG-4000 8.3 High2020-03-30
CVE-2020-6650 Arbitrary code execution through “Update Manager” Class — UPS Companion Software 8.3 High2020-03-23
CVE-2020-5256 Remote Code Execution Through Image Uploads in BookStack — BookStack 7.9 High2020-03-09
CVE-2020-5217 Directive injection when using dynamic overrides with user input in RubyGems secure_headers — secure_headers 4.4 Medium2020-01-23

Vulnerabilities classified as CWE-95 (动态执行代码中指令转义处理不恰当(Eval注入)) represent 106 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.