Eval Injection
What is Eval Injection?
Eval InjectionA specific code-injection flaw caused by passing untrusted input to dynamic-evaluation primitives such as JavaScript eval() or Python eval/exec.
Eval injection is the concrete sub-case of code injection where a language's dynamic evaluation function — JavaScript eval, new Function, setTimeout(string), Python eval/exec, Ruby eval, PHP assert(eval-equivalent), or VBA Application.Run — is invoked on data that came directly or indirectly from user input. Because these primitives interpret the supplied string as full source code in the host process, exploitation yields complete language-level RCE: access to all imports, globals, file system, environment, and child processes. Mitigations include removing dynamic evaluation entirely, replacing it with safe parsers (JSON.parse, ast.literal_eval), using strict allow-list validators when math/expression evaluation is required, and applying runtime sandboxes such as vm2 or restricted subprocesses.
● Examples
- 01
Python: result = eval(request.form['expr']) — payload __import__('os').system('id').
- 02
Node: new Function('return ' + req.query.f)() — payload process.mainModule.require('child_process').execSync('id').
● Frequently asked questions
What is Eval Injection?
A specific code-injection flaw caused by passing untrusted input to dynamic-evaluation primitives such as JavaScript eval() or Python eval/exec. It belongs to the Attacks & Threats category of cybersecurity.
What does Eval Injection mean?
A specific code-injection flaw caused by passing untrusted input to dynamic-evaluation primitives such as JavaScript eval() or Python eval/exec.
How does Eval Injection work?
Eval injection is the concrete sub-case of code injection where a language's dynamic evaluation function — JavaScript eval, new Function, setTimeout(string), Python eval/exec, Ruby eval, PHP assert(eval-equivalent), or VBA Application.Run — is invoked on data that came directly or indirectly from user input. Because these primitives interpret the supplied string as full source code in the host process, exploitation yields complete language-level RCE: access to all imports, globals, file system, environment, and child processes. Mitigations include removing dynamic evaluation entirely, replacing it with safe parsers (JSON.parse, ast.literal_eval), using strict allow-list validators when math/expression evaluation is required, and applying runtime sandboxes such as vm2 or restricted subprocesses.
How do you defend against Eval Injection?
Defences for Eval Injection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Eval Injection?
Common alternative names include: eval() injection, Dynamic-evaluation injection.
● Related terms
- attacks№ 195
Code Injection
A class of vulnerabilities where attacker-supplied data is interpreted and executed as code by an application, leading to arbitrary execution in its context.
- attacks№ 1009
Server-Side Template Injection
An attack that injects template-engine syntax into untrusted input, leading to code execution on the server when the template is rendered.
- attacks№ 202
Command Injection
An attack where user input is passed unsanitized to an operating-system shell, causing the application to execute attacker-supplied commands.
- vulnerabilities№ 539
Insecure Deserialization
A vulnerability where an application deserialises untrusted data, letting attackers instantiate arbitrary objects and frequently achieve remote code execution.
- appsec№ 538
Input Validation
The server-side check that every untrusted input matches an expected type, length, range, format and value set before being processed by the application.