Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Android
- Aws-lambda
- Castor
- Java-jwt
- Jax-rs
- Jboss
- Jdo
- Jedis
- Jjwt
- Jsch
- Kryo
- Lang
- Micronaut
- Mongo
- Mongodb
- Mysql
- Okhttp
- Rmi
- Servlets
- Spring
- Log-http-headers
- Security
- Security
- Audit
- Audit
- Castor-deserialization-deepsemgrep
- Hibernate-sqli
- Injection
- Jdbctemplate-sqli
- Jdo-sqli
- Jpa-sqli
- Kryo-deserialization-deepsemgrep
- Objectinputstream-deserialization-spring
- Spring-sqli-deepsemgrep
- Spring-tainted-code-execution
- Spring-tainted-ldap-injection
- Spring-tainted-xmldecoder
- Tainted-ssrf-spring-add
- Tainted-ssrf-spring-format
- Xstream-anytype-deserialization-deepsemgrep
- Xxe
- Simple-command-injection-direct-input
- Spring-tainted-path-traversal
- Tainted-html-string-responsebody
- Thymeleaf
- Xstream
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Problem-based-packs
- Python
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Spring-tainted-code-execution
Spring tainted code execution
User data flows into a script engine or another means of dynamic code evaluation. This is unsafe and could lead to code injection or arbitrary code execution as a result. Avoid inputting user data into code execution or use proper sandboxing if user code evaluation is necessary.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection