Loading of resource resolved from external name detected.


Loading code dynamically from a path formed from user input can allow an attacker to execute arbitrary code.


❌ Avoid passing user or request input to require().

✅ Where it is unavoidable to rely on user input, sanitize the input or use a safelist

var path = req.body.path
if (['users', 'posts', 'pages'].includes(path)) {

Associated CWE

OWASP Top 10

Ready to take the next step? Join the Bearer Cloud waitlist.