CWE-95 Eval Injection
Coverage: 15 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 15 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged code that evaluates untrusted input using an "eval-like" mechanism (direct eval, expression evaluation, dynamic language execution).
Why it matters
Eval injection can lead to arbitrary code execution.
- RCE: attackers run code as your service.
- Data theft and lateral movement via environment and internal network access.
Safer examples
1) Don't eval user input
# Bad: eval(user_expr)
# Good: parse a known format and validate
n = int(user_input)
2) Use allowlists for supported operations
If you need "expressions," implement a tiny allowlisted parser rather than eval.
3) Isolate high-risk evaluation
If evaluation is unavoidable, sandbox it aggressively and remove access to filesystem/network (still risky).
How SiteShadow detects it (high level)
- Detects eval/expression execution APIs and checks whether the evaluated string is user-controlled.
- Flags when the evaluation result controls sensitive operations.
References
- CWE-95: https://cwe.mitre.org/data/definitions/95.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.