Dangerous use of eval with user input detected


Using eval (and similar code execution methods such as setTimeout) with user input is dangerous and can lead to remote code execution.


❌ As a general rule, avoid using eval.

❌ Avoid using code execution methods with unsanitized user input.

Instead, it might be possible to use dynamic hardcoded values:

  app.post("/:id", (req, res) => {
let myFunc = "(a, b) => a + b"
if req.params["single_item"] {
myFunc = "(a) => a"


or pass user input to a compiled function, instead of compiling it with user input.

  app.post("/:id", (req, res) => {
let myFunc = "(a, b) => a + b"
let compiledFunction = vm.compileFunction(myFunc);
compiledFunction(req.params["pageCount"], req.params["appendixPageCount"])

✅ Use JavaScript's strict mode as best practice and to minimize the reach of code execution methods

  "use strict"

app.post("/:id", (req, res) => {


Associated CWE

OWASP Top 10

Ready to take the next step? Join the Bearer Cloud waitlist.