CRITICALSecuritysmallNode.js Security

Avoid eval() and Dynamic Code Execution

Never use eval(), new Function(), or vm.runInScript() with user-provided input. These functions execute arbitrary code with the full privileges of your Node.js process — an attacker can read files, access databases, or take over the entire server.

Why This Matters

eval() and new Function() execute arbitrary JavaScript with the same permissions as your Node.js process. An attacker who controls the input to these functions can read environment variables (database credentials, API keys), access the filesystem, make network requests, or spawn child processes — achieving full remote code execution.

Related Rules

Sanitize User Input

Security

CRITICAL

Set Security Headers

Security

HIGH

Avoid Prototype Pollution

Security

HIGH

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and 3+ others. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why this matters

eval(), new Function(), and vm.runInNewContext() compile and execute strings as JavaScript code. When user input reaches these functions, the attacker can execute arbitrary code with the full privileges of your Node.js process.

This is not a theoretical risk — it is the most severe vulnerability class (Remote Code Execution / RCE). An attacker who achieves RCE can:

Read process.env to steal database credentials, API keys, and secrets
Read and write files on the filesystem
Make network requests to internal services
Spawn child processes to install backdoors or exfiltrate data
Pivot to other systems in the network

Even vm.runInNewContext() is not a sandbox — it can be escaped to access the host process.

The rule

Never use eval(), new Function(), vm.runInNewContext(), or setTimeout/setInterval with string arguments. If you need to parse structured data, use JSON.parse(). If you need dynamic behavior, use a lookup table or strategy pattern.

Bad example

// eval with user input — full RCE
app.post("/calculate", (req, res) => {
  const result = eval(req.body.expression); // Attacker sends: process.env.DATABASE_URL
  res.json({ result });
});
 
// new Function with user input — same risk
const fn = new Function("return " + req.body.formula);
 
// setTimeout with string — evaluates as code
setTimeout("alert(' + userInput + ')", 1000);

Good example

// Safe math evaluation with a parser library
import { evaluate } from "mathjs";
 
app.post("/calculate", (req, res) => {
  const result = evaluate(req.body.expression); // Only evaluates math
  res.json({ result });
});
 
// Strategy pattern instead of dynamic code
const operations: Record<string, (a: number, b: number) => number> = {
  add: (a, b) => a + b,
  subtract: (a, b) => a - b,
  multiply: (a, b) => a * b,
};
 
app.post("/calculate", (req, res) => {
  const { operation, a, b } = req.body;
  const fn = operations[operation];
  if (!fn) return res.status(400).json({ error: "Unknown operation" });
  res.json({ result: fn(a, b) });
});

How to detect

Search for eval and dynamic code execution:

grep -rn 'eval(\|new Function(\|vm\.run\|setTimeout(\s*[\x27"]' --include="*.ts" --include="*.js"

Remediation

Search the entire codebase for eval, new Function, vm.run, and string-argument setTimeout/setInterval
For math evaluation, replace with a safe parser like mathjs
For dynamic behavior, use lookup tables, strategy patterns, or configuration objects
For JSON parsing, use JSON.parse() with a try/catch
Add an ESLint rule: no-eval and no-new-func to prevent future usage

Avoid eval() and Dynamic Code Execution

Why This Matters

Tags

Related Rules

Catch this automatically on every PR

Why this matters

The rule

Bad example

Good example

How to detect

Remediation

References