PortSwigger
portswigger.net › kb › issues › 00100f10_python-code-injection
Python code injection - PortSwigger
CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Semgrep
semgrep.dev › write rules › secure coding › python › code injection in python
Code Injection in Python | Semgrep
The eval() function supports the dynamic execution of Python code. The eval() can be dangerous if it is used to execute dynamic content (non-literal content). If this dynamic content has an input controllable by a user, it can cause a code injection ...
Python Injection - is there such a thing? - Stack Overflow
Would it be possible that if that ... python code could be injected and executed in the app? Is there a way to easily and harmlessly test for this vulnerability - if it is indeed a potential vulnerability? I can't seem to find many web resources on this topic. ... Python injection? Sure, if you have eval() in your ... More on stackoverflow.com
python - I need to inject the code with eval() function to complete my task, do i need to changes in eval() funcction? - Stack Overflow
I need to complete this task, please see the below comments, You are calling the hack() function in your text files which is a good start. The goal of the task inject the hack() function into the P... More on stackoverflow.com
Why is exec() and eval() not considered good practice?
exec and eval basically execute the code AS IF you wrote it. Maybe if you're the one using it would be OK, but on public facing applications then you have the risk of code injection. Someone crafting a string that will do something completely different. It is bad practice just for that, and you can make it work with other approaches. On your case, there are easier ways of finding something by its "name". You can set up a dict of objects (IE AllItems). Whose key is your "nameOfWeapon" identifier. And do AllItems[nameOfWeapon] to get it. And after getting it you can call the method you have on it. More on reddit.com
27
50
July 27, 2024Eval really is dangerous
Remember that there's literal_eval in the ast module. http://docs.python.org/library/ast.html#ast.literal_eval Useful for taking in Pythonic data. More on reddit.com
44
95
June 6, 2012GitHub
github.com › letta-ai › letta › issues › 2613
Code Injection Vulnerability Caused by eval() in function_message Function · Issue #2613 · letta-ai/letta
May 8, 2025 - This code is vulnerable to CWE - 94: Code Injection due to the use of the eval() function. The function_message function processes a string msg. When msg starts with "Running " and matches a specific regular expression, the function extracts the function_name and function_args. For certain function_name values, it uses eval() to execute the function_args string as a Python expression.
Author ybdesire
Acunetix
acunetix.com › vulnerabilities › web › code-evaluation-python
Code Evaluation (Python) - Vulnerabilities - Acunetix
This script is vulnerable to Python code injection. The user input appears to be placed into a dynamically evaluated Python code statement, allowing an attacker to execute arbitrary Python code.
JFrog
jfrog.com › blog home › 23andme’s yamale python code injection, and properly sanitizing eval()
23andMe's Yamale Python code injection, and properly sanitizing eval()
September 1, 2022 - [x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['print']([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__']('os').system('cd /; python3 -m http.server')) There have been many writeups regarding this subject, but the short answer is – if you are passing completely unsanitized input to eval (regardless of builtins) then you are susceptible to arbitrary code injection.
Floyd
floyd.ch
Exploiting Python’s Eval | floyd's
Pingback: Exploiting Python Code Injection in Web Applications – My Blog · python module evalidate (pip3 install evalidate) solves this problem. It parses untrusted user code into Abstract Syntax Tree (AST) and checks each node. Code is evaluated then only if it consist only of safe nodes.
Wisc
research.cs.wisc.edu › mist › SoftwareSecurityCourse › Chapters › 3_8_3-Code-Injections.pdf pdf
3_8_3-Code-Injections.pdf
https://research.cs.wisc.edu/mist/SoftwareSecurityCourse/Chapters/18-Code-Injections.pdf
VK9 Security
vk9-sec.com › exploiting-python-eval-code-injection
Exploiting Python EVAL() Code Injection | VK9 Security
The eval() function in Python evaluates a string as a Python expression and returns the result. It allows developers to dynamically execute code during runtime, providing great flexibility. However, if user-supplied input is directly passed into eval(), it can lead to code injection vulnerabilities.
Medium
medium.com › swlh › hacking-python-applications-5d4cd541b3f1
Hacking Python Applications. And how attackers exploit common… | by Vickie Li | The Startup | Medium
November 15, 2019 - Dangerous functions in Python like eval(), exec() and input() can be used to achieve authentication bypass and even code injection.
Snyk
snyk.io › blog › code-injection-python-prevention-examples
Code injection in Python: examples and prevention | Snyk
December 6, 2023 - For example, with literal_eval(), the input 2 + 3 would be evaluated as the numeric value 5, while an input like __import__('os').system('rm -rf /') would raise a ValueError instead of executing the command. This effectively mitigates the security concerns associated with using eval() and provides a safer way to evaluate expressions that involve literals. Use parameterized queries or prepared statements to prevent SQL injection:
Acunetix
acunetix.com › vulnerabilities › web › python-code-injection
Python code injection - Vulnerabilities
This script is vulnerable to Python code injection. The user input appears to be placed into a dynamically evaluated Python code statement, allowing an attacker to execute arbitrary Python code.
Johal AI Hub
johal.in › detecting-and-preventing-code-injection-in-python-eval-and-exec-functions-7
Detecting and Preventing Code Injection in Python Eval and Exec Functions
3 weeks ago - Unlike compiled languages where code execution paths are determined at compile time, Python's eval() and exec() functions evaluate and execute code at runtime. This flexibility enables powerful metaprogramming capabilities but also creates an ...
Blogger
vipulchaskar.blogspot.com › 2012 › 10 › exploiting-eval-function-in-python.html
Vipul Chaskar's Blog: Exploiting eval() function in Python
October 23, 2012 - It is the eval() function. Basically it takes a string which has a valid python expression, and evaluates it as a regular python code. The risk with this function, if the user manages to enter custom crafted string into this function, it has ...
Stack Overflow
stackoverflow.com › questions › 76539692 › i-need-to-inject-the-code-with-eval-function-to-complete-my-task-do-i-need-to
python - I need to inject the code with eval() function to complete my task, do i need to changes in eval() funcction? - Stack Overflow
June 23, 2023 - import os from vulnerability import hack def login(username): users = ['Nkoli', 'Hyperion', 'Ori', 'Tony'] if username in users: return f"Welcome, {username}." else: return "" print("This code will log a username in") if os.path.exists("hack3.txt"): with open("hack3.txt", 'r') as in_file: user_input = in_file.read() else: user_input = input("Enter your username\n: ") // Then, we run the code print(eval(f"login('{user_input}')")) # hack1.txt hack() ... Do not use eval() for this. It's evil ... I believe this is an exercise from a cybersecurity MOOC, so I guess they're using this to demonstrate just how eval() introduces injection vulnerabilities.
Blogger
sethsec.blogspot.com › 2016 › 11 › exploiting-python-code-injection-in-web.html
Exploiting Python Code Injection in Web Applications
November 20, 2016 - Although you would be hard pressed to find an article online that talks about python eval() without warning that it is unsafe, eval() is the most likely culprit here. When you have the following two conditions, the vulnerability exists: Application accepts user input (e.g., GET/POST param, cookie value) Application passes that user controlled input to eval in an unsafe way (without sanitization or other protection mechanisms). Here is a simplified version of what the vulnerable code could look like:
CodeQL
codeql.github.com › codeql-query-help › python › py-code-injection
Code injection — CodeQL query help documentation - GitHub
ID: py/code-injection Kind: ... python-security-and-quality.qls ... Directly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution....
Invicti
invicti.com › web-application-vulnerabilities › code-evaluation-python
Code Evaluation (Python) - Web Application Vulnerabilities | Invicti
This application is vulnerable to Python code injection, a critical security flaw that occurs when user-supplied input is passed directly into Python's dynamic code evaluation functions (such as eval(), exec(), or compile()) without proper validation or sanitization.
https://probely.com
probely.com › vulnerabilities › python-code-injection
Python code injection - Probely
A Python code injection vulnerability allows the attacker to execute arbitrary Python code into the application. In the worst-case scenario, the attacker will be able to fully administrate the server, which will enable him to extract sensitive ...
StackHawk
stackhawk.com › stackhawk, inc. › vulnerabilities and remediation › preventing command injection in python: a guide to security
Preventing Command Injection in Python: A Guide to Security
January 13, 2025 - So in this post we will get you familiar with command injection via concrete examples—more precisely, command injection in Python. Command injection sends malicious data into an application that can lead to grave damage when dynamically evaluated by the code interpreter.