VC030A03:2021·CWE-95

eval() usage

`eval()` or `new Function()` called with input that traces back to a user. Lets attackers execute arbitrary JavaScript in your runtime.

What this rule detects

VC030 looks for `eval()`, `Function()` constructor, and `setTimeout`/`setInterval` called with a string instead of a function — all of which evaluate their argument as JavaScript. The rule traces taint: it fires when the argument can come from request body, query string, headers, cookies, or imported user-controlled data.

Vulnerable vs. safe code

Vulnerable
// Calculator endpoint: lets users compute expressions.
app.post("/calc", (req, res) => {
  const result = eval(req.body.expression);
  res.json({ result });
});

// Attacker sends: { "expression": "process.exit(1)" }
Safe
// Use a sandboxed expression library, not eval.
import { evaluate } from "mathjs";

app.post("/calc", (req, res) => {
  try {
    const result = evaluate(req.body.expression);
    res.json({ result });
  } catch (err) {
    res.status(400).json({ error: "Invalid expression" });
  }
});

About A03:2021Injection

Injection happens when user input is concatenated directly into SQL queries, shell commands, HTML, or any other interpreter. SQL injection has been #1 or #2 on the OWASP Top 10 since the list was created in 2003 — it's the oldest class of web bug that still ships every week.

Impact: SQL injection: attacker reads or modifies your entire database. Command injection: attacker runs arbitrary shell commands on your server. XSS: attacker steals session cookies and impersonates other users. Each one is typically a critical-severity finding.

How to fix it: Always use parameterized queries (prepared statements) for SQL. Never use template literals or string concatenation with user input in queries. For HTML output, use your framework's auto-escaping. For shell commands, use APIs that take an array of arguments instead of `exec()` with a string.

Common patterns in this category:

  • SQL queries built with string concatenation or template literals
  • `child_process.exec()` called with user input concatenated into the command
  • `dangerouslySetInnerHTML` with user-controlled data
  • `eval()` or `Function()` called with user input
  • `innerHTML` assignment without sanitization

Compliance coverage

Findings from this rule map to the following framework controls:

SOC 2
CC6.8, CC7.1
ISO 27001
A.8.28, A.8.25
OWASP Top 10
A03:2021Injection
CWE
CWE-95

See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.

Scan your code for VC030 and 157 other rules

Free, no signup. Drag and drop a zip or run npx xploitscan scan .

Scan Your Code →

Related rules in A03:2021

← All security rules
VC030: eval() usage | XploitScan Rules