It's a false positive.
Reporting false code injection vulnerabilities is a well-known problem with HP Fortify and has confused developers before. Fortify just does basic static analysis of the Javascript code and can't go arbitrarily deep to understand how it works. As @AlexanderOMara suggested, it just seems to discover the potentially dangerous setTimeout() function which can, as setInterval(), take a string argument that would be executed as code, just like eval() does. This the sort of vulnerability, the tool aims to discover:
setTimeout('alert(' + document.location.hash.split('#')[1] + ')', 0);
But in your case there is no user-supplied, unfiltered input to the setTimeout() function and it therefore looks safe. Leaving you with a great conclusion from the linked thread:
Answer from Arminius on Stack ExchangeMy advice is to stop running HP fortify reports. Or pay the five thousand, or whatever dollars to go to their classes so you could actually understand their malarkey.
OWASP Foundation
owasp.org › www-community › attacks › Direct_Dynamic_Code_Evaluation_Eval Injection
Direct Dynamic Code Evaluation - Eval Injection | OWASP Foundation
This attack consists of a script that does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement, which results in code execution.
Fortify
vulncat.fortify.com › en › detail
Software Security | Dynamic Code Evaluation: Script Injection
This capability allows programmers to perform dynamic instructions based on input received from the user. Code injection vulnerabilities occur when the programmer incorrectly assumes that instructions supplied directly from the user will perform only innocent operations, such as performing ...
GitHub
github.com › OWASP › www-community › blob › master › pages › attacks › Direct_Dynamic_Code_Evaluation_Eval_Injection.md
www-community/pages/attacks/Direct_Dynamic_Code_Evaluation_Eval_Injection.md at master · OWASP/www-community
This attack consists of a script that does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement, which results in code execution.
Author OWASP
Fortify
vulncat.fortify.com › en › detail
Software Security | Dynamic Code Evaluation: Code Injection
Code injection vulnerabilities occur when the programmer incorrectly assumes that instructions supplied directly from the user will perform only innocent operations, such as performing simple calculations on active user objects or otherwise modifying the user's state.
Oligo Security
oligo.security › academy › 8-types-of-code-injection-and-8-ways-to-prevent-them
8 Types of Code Injection and 8 Ways to Prevent Them
Implement endpoint security monitoring for anomaly detection: Security tools that track process behavior, such as Sysmon on Windows or Auditd on Linux, can flag unexpected script executions, privilege escalations, or suspicious outbound connections. Deploy RASP (Runtime Application Self-Protection): Unlike WAFs, RASP solutions embed security within the application, enabling real-time detection and prevention of injection attempts based on contextual execution data. Disable dynamic execution of code where possible: Many attacks exploit functions that allow runtime evaluation of strings as code (e.g., eval() in Python/JavaScript, system() in C).
Stack Overflow
stackoverflow.com › questions › 56666442 › how-to-fix-fortify-dynamic-code-evaluation-script-injection-error
How to fix Fortify "Dynamic Code Evaluation: Script Injection" error
June 19, 2019 - How to Fix fortify Dynamic Code Evaluation: Script Injection error? onCommentSuccess: function (showAllComments) { $('#commentListDiv').load(location.href + ' #commentListDiv', function() { ...
Snyk Learn
learn.snyk.io › home › security education › what is code injection? | tutorial & examples
What is code injection? | Tutorial & examples | Snyk Learn
October 28, 2025 - When this method is used with a command interpreter (cmd.exe for instance) and unsanitized user-supplied input, this can result in command and argument injection attacks. The ScriptEngine provides basic scripting functionality, including the ability to use command-line shells. The Java Scripting functionality is located in the javax.script package and is a pretty simple API to use. Scripts are evaluated by the script engine’s eval() method. When this method is implemented with user-supplied input, it can allow attackers to execute their own code.
Snyk
snyk.io › blog › 5-ways-to-prevent-code-injection-in-javascript-and-node-js
5 ways to prevent code injection in JavaScript and Node.js | Snyk
April 6, 2021 - On the Node.js side of things, one may want to allow accessing specific data points in the application, based on some dynamic evaluation. Here’s an example: const db = "./db.json" const dataPoints = eval("require('"+db+"')"); In this example, the general assumption is that the exact file we want to require is dynamic, and potentially user-controlled, in which again we have potential code injection security vulnerabilities.
Acunetix
acunetix.com › vulnerabilities › web › code-evaluation-asp
Code Evaluation (ASP) - Vulnerabilities - Acunetix
This vulnerability occurs when user-controlled input is passed directly into ASP evaluation functions (such as eval() or Execute()) without proper validation or sanitization. When exploited, attackers can inject and execute arbitrary ASP code on the server, effectively gaining the ability to ...
Codiga
codiga.io › blog › javascript-eval-best-practices
JavaScript eval security best practices
The function takes a string argument and evaluates it as a JavaScript expression, then returns the result. ... Dynamic code evaluation: eval() can be used to evaluate code dynamically, meaning that the code is generated and executed at runtime.
Acunetix
acunetix.com › vulnerabilities › web › code-evaluation-php
Code Evaluation (PHP) - Vulnerabilities - Acunetix
This vulnerability occurs when user-controlled input is passed directly to dangerous functions like eval(), assert(), or similar dynamic code execution functions without proper validation or sanitization. When exploited, attackers can inject malicious PHP code that will be executed with the ...
Semgrep
semgrep.dev › learning guides › application security › vulnerabilities › code injection
Code Injection | Semgrep
September 30, 2025 - Code injection is a type of software vulnerability that occurs when untrusted input is treated as code and executed. In other words, the attacker supplies data that the application mistakenly interprets as instructions.
Acunetix
acunetix.com › vulnerabilities › web › code-evaluation-ruby
Code Evaluation (Ruby) - Vulnerabilities - Acunetix
Ruby code injection is a vulnerability that allows an attacker to inject custom code into the server side scripting engine. This vulnerability occurs when an attacker can control all or part of an input string that is fed into an eval() function call. eval() will execute the argument as code.
SonarSource
rules.sonarsource.com › java › rspec-5334
Dynamic code execution should not be vulnerable to ...
Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code
Rxharun
rxharun.com › rxharun › rx-it-world-hacking-tutorial › direct-dynamic-code-evaluation-eval-injection
Direct Dynamic Code Evaluation Eval Injection – RxHarun
This attack consists of a script that does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement, which results in code execution. Note 1: This attack will execute the code with the same permission ...
PortSwigger
portswigger.net › kb › issues › 00100d00_server-side-javascript-code-injection
Server-side JavaScript code injection - PortSwigger
Server-side code injection vulnerabilities arise when an application incorporates user-controllable data into a string that is dynamically evaluated by a code interpreter. If the user data is not strictly validated, an attacker can use crafted input to modify the code to be executed, and inject arbitrary code that will be executed by the server.
Invicti
invicti.com › web-application-vulnerabilities › code-evaluation-asp
Code Evaluation (ASP) - Web Application Vulnerabilities | Invicti
ASP code injection is a vulnerability that allows an attacker to inject custom code into the server side scripting engine. This vulnerability occurs when an attacker can control all or part of an input string that is fed into an eval() statement, which results in code execution.
Sourcery
sourcery.ai › vulnerabilities › eval-injection-javascript
Code injection via eval() and Function constructor in JavaScript | Security Vulnerability Database | Sourcery
A critical security vulnerability where user-controlled input is passed to JavaScript's eval() function, Function() constructor, or similar dynamic code execution mechanisms without proper sanitization.
OWASP Foundation
owasp.org › www-project-web-security-testing-guide › latest › 4-Web_Application_Security_Testing › 07-Input_Validation_Testing › 11-Testing_for_Code_Injection
Testing for Code Injection
In Code Injection testing, a tester submits input that is processed by the web server as dynamic code or as an included file. These tests can target various server-side scripting engines, e.g., ASP or PHP.