Remote Code Execution from Untrusted Input Passed to ScriptEngine.eval

Critical Risk Template & Code Injection
javascript-enginejavascriptgroovyrcecode-injection

What it is

Remote code execution (RCE): An attacker can execute arbitrary code by injecting malicious scripts, compromising data and the host running the application.

Why it happens

Passing untrusted user input directly to ScriptEngine.eval() for execution.

Root causes

User Input in Script Evaluation

Passing untrusted user input directly to ScriptEngine.eval() for execution.

Dynamic Code Generation

Building JavaScript code strings with user data and executing them through ScriptEngine.

Unsafe Template Processing

Using JavaScript engines to process user-controlled templates without proper sandboxing.

Fixes

1

Eliminate ScriptEngine Usage

Remove ScriptEngine entirely and use safe alternatives like expression languages or domain-specific parsers.

2

Use Safe Expression Languages

Replace JavaScript evaluation with SpEL, JEXL, or MVEL configured with restricted method access.

3

Input Validation and Whitelisting

If scripting is unavoidable, strictly validate and whitelist allowed operations through custom script analyzers.

Detect This Vulnerability in Your Code

Sourcery automatically identifies remote code execution from untrusted input passed to scriptengine.eval and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities