# Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (CWE-95)

The product receives input from an upstream component, but it does not neutralize code syntax before using the input in a dynamic evaluation call.

- Prevalence: 高 无 Shoulder 规则
- Impact: 高 OWASP Top 10 #3
- Prevention: 查看 MITRE 外部参考

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

When user input is passed to eval() or similar functions without sanitization, attackers can inject arbitrary code that will be executed with the application's privileges.

## Prevention

## Consequences

- 执行未授权代码
- 读取应用程序数据
- 修改应用程序数据

## Mitigations

- 避免使用 eval() 及类似的动态代码执行函数
- 使用更安全的替代方案,如 JSON.parse() 来解析数据
- 如果必须使用 eval,请采用严格的输入验证和沙箱隔离