CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
常见后果
影响范围: Confidentiality
技术影响: Read Files or Directories Read Application Data
说明: The injected code could access restricted data / files.
影响范围: Access Control
技术影响: Bypass Protection Mechanism
说明: In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
影响范围: Access Control
技术影响: Gain Privileges or Assume Identity
说明: Injected code can access resources that the attacker is directly prevented from accessing.
影响范围: Integrity Confidentiality Availability Other
技术影响: Execute Unauthorized Code or Commands
说明: Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code or at least modify what code can be executed.
影响范围: Non-Repudiation
技术影响: Hide Activities
说明: Often the actions performed by injected control code are unlogged.
潜在缓解措施
阶段: Architecture and Design Implementation
描述: If possible, refactor your code so that it does not need to use eval() at all.
阶段: Implementation
策略: Input Validation
阶段: Implementation
阶段: Implementation
有效性: Discouraged Common Practice
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2024-4181
Framework for LLM applications allows eval injection via a crafted response from a hosting provider.
参考: CVE-2022-2054
Python compiler uses eval() to execute malicious strings as Python code.
参考: CVE-2021-22204
Chain: regex in EXIF processor code does not correctly determine where a string ends (CWE-625), enabling eval injection (CWE-95), as exploited in the wild per CISA KEV.
参考: CVE-2021-22205
Chain: backslash followed by a newline can bypass a validation step (CWE-20), leading to eval injection (CWE-95), as exploited in the wild per CISA KEV.
参考: CVE-2008-5071
Eval injection in PHP program.
参考: CVE-2002-1750
Eval injection in Perl program.
参考: CVE-2008-5305
Eval injection in Perl program using an ID that should only contain hyphens and numbers.
参考: CVE-2002-1752
Direct code injection into Perl eval function.
参考: CVE-2002-1753
Eval injection in Perl program.
参考: CVE-2005-1527
Direct code injection into Perl eval function.
参考: CVE-2005-2837
Direct code injection into Perl eval function.
参考: CVE-2005-1921
MFV. code injection into PHP eval statement using nested constructs that should not be nested.
参考: CVE-2005-2498
MFV. code injection into PHP eval statement using nested constructs that should not be nested.
参考: CVE-2005-3302
Code injection into Python eval statement from a field in a formatted file.
参考: CVE-2007-1253
Eval injection in Python program.
参考: CVE-2001-1471
chain: Resultant eval injection. An invalid value prevents initialization of variables, which can be modified by attacker and later injected into PHP eval statement.
参考: CVE-2007-2713
Chain: Execution after redirect triggers eval injection.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
| Implementation | This weakness is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables. |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Direct Dynamic Code Evaluation ('Eval Injection') | - |
| OWASP Top Ten 2007 | A3 | Malicious File Execution | CWE More Specific |
| OWASP Top Ten 2004 | A6 | Injection Flaws | CWE More Specific |
| Software Fault Patterns | SFP24 | Tainted input to command | - |
| SEI CERT Perl Coding Standard | IDS35-PL | Do not invoke the eval form with a string argument | Exact |