Weakness reference
CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Eval injection occurs when an application passes user-controlled input directly to code evaluation functions like eval, exec, or similar dynamic code execution…

01Summary

Eval injection occurs when an application passes user-controlled input directly to code evaluation functions like eval(), exec(), or similar dynamic code execution mechanisms without validation or sanitization. This allows an attacker to inject arbitrary code that runs with the same privileges as the application, leading to complete system compromise.

02How It Happens

Many programming languages provide functions that treat a string as executable code — eval() in Python and PHP, exec() in Python, or similar mechanisms in other languages. When user input (from query parameters, form fields, uploaded files, or API requests) is concatenated into these strings without filtering, an attacker can break out of the intended logic and inject malicious commands. The root cause is treating user input as trusted code rather than as data.

This weakness is particularly dangerous because it bypasses most traditional security boundaries: there is no SQL injection filter, no XSS encoding, no file path restriction that can stop arbitrary code execution. The attacker gains the ability to run any instruction the application's runtime environment permits.

03Real-World Impact

Successful eval injection leads to remote code execution (RCE), the most severe class of vulnerability. An attacker can read sensitive files, modify or delete data, install backdoors, pivot to other systems on the network, or take complete control of the server. Even a single eval injection vulnerability can result in total compromise of the affected system and potentially the entire infrastructure.

04Vulnerable & Fixed Patterns

Vulnerable pattern
import sqlite3

user_input = request.args.get('filter')
query = "SELECT * FROM users WHERE name = '" + user_input + "'"

# Dangerous: eval() executes the string as Python code
result = eval(query)

Why it's vulnerable:
The eval() function treats the string as Python code. An attacker can inject code like __import__('os').system('rm -rf /') and it will execute directly.

Fixed pattern
import sqlite3

user_input = request.args.get('filter')
conn = sqlite3.connect('database.db')
cursor = conn.cursor()

# Safe: parameterized query, no eval()
cursor.execute("SELECT * FROM users WHERE name = ?", (user_input,))
result = cursor.fetchall()
Vulnerable pattern
<?php
$user_code = $_GET['expression'];

// Dangerous: eval() executes arbitrary PHP code
eval('$result = ' . $user_code . ';');
echo $result;
?>

Why it's vulnerable:
eval() parses and executes the string as PHP code. An attacker can inject phpinfo(); system('whoami'); or any other PHP statement.

Fixed pattern
<?php
$user_input = $_GET['value'];

// Safe: use a whitelist of allowed operations or a safe expression parser
$allowed_operations = ['add', 'subtract', 'multiply'];
$operation = $_GET['operation'];

if (in_array($operation, $allowed_operations)) {
    if ($operation === 'add') {
        $result = intval($user_input) + 10;
    }
    echo htmlspecialchars($result);
}
?>

05Prevention Checklist

Never use eval(), exec(), system(), or equivalent dynamic code execution functions on user input.
If you must evaluate expressions, use a safe, sandboxed expression parser designed for that purpose.
Use parameterized queries or prepared statements
for database operations instead of string concatenation.
Implement strict input validation
— whitelist allowed values, reject anything unexpected, and validate type and format before use.
Apply the principle of least privilege
— run the application with minimal permissions so that even if code execution occurs, the damage is limited.
Use static analysis tools
to detect eval() calls in your codebase and flag them for review.
Sandbox or isolate dynamic code execution
if it is absolutely necessary — use containerization, restricted user accounts, or language-level sandboxes.

06Signs You May Already Be Affected

Look for unexpected files or directories created in your application root or web-accessible folders, unusual processes spawned by your application server, or suspicious entries in application logs showing strange function calls or system commands. If you find eval() calls in your codebase that process any external input, treat them as critical security issues regardless of whether you have evidence of exploitation.

07Related Recent Vulnerabilities