Dangerous use of eval with user input detected

  • Rule ID: javascript_express_eval_user_input
  • Languages: javascript
  • Source: eval_user_input.yml


Using eval (and similar code execution methods such as setTimeout) with user input is dangerous and can lead to remote code execution.


❌ As a general rule, avoid using eval.

❌ Avoid using code execution methods with unsanitized user input.

Instead, it might be possible to use dynamic hardcoded values:

  app.post("/:id", (req, res) => {
let myFunc = "(a, b) => a + b"
if req.params["single_item"] {
myFunc = "(a) => a"


or pass user input to a compiled function, instead of compiling it with user input.

  app.post("/:id", (req, res) => {
let myFunc = "(a, b) => a + b"
let compiledFunction = vm.compileFunction(myFunc);
compiledFunction(req.params["pageCount"], req.params["appendixPageCount"])

✅ Use JavaScript's strict mode as best practice and to minimize the reach of code execution methods

  "use strict"

app.post("/:id", (req, res) => {


Associated CWE

OWASP Top 10