no-eval
Detects dangerous eval() and similar code execution patterns. This rule is part of [`eslint-plugin-frontend-security`](https://www.npmjs.com/package/eslint-plug
Keywords: eval, code injection, CWE-94, security, dynamic code execution, Function constructor
Detects dangerous eval() and similar code execution patterns. This rule is part of eslint-plugin-frontend-security.
⚠️ This rule errors by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-94 (Code Injection) |
| Severity | 🔴 Critical |
| Auto-Fix | ❌ No (requires refactoring) |
| Category | Security |
| Best For | All JavaScript applications |
Vulnerability and Risk
Vulnerability: eval() and similar functions execute arbitrary code, allowing attackers to run malicious scripts if they can control the input.
Risk: Code injection can lead to:
- Complete application compromise
- Data theft
- Remote code execution
- Cryptocurrency mining
Dangerous Patterns
Examples
❌ Incorrect
// Direct eval - CRITICAL
eval(userInput);
eval('console.log("' + userData + '")');
// Function constructor - CRITICAL
const fn = new Function(userCode);
const fn = new Function('a', 'b', userExpression);
// setTimeout/setInterval with strings - VULNERABLE
setTimeout('doSomething(' + userId + ')', 1000);
setInterval(userAction, 500);✅ Correct
// Use JSON.parse for data
const data = JSON.parse(jsonString);
// Use proper function references
setTimeout(() => doSomething(userId), 1000);
setInterval(processQueue, 500);
// Use a safe expression parser for calculators
import { Parser } from 'expr-eval';
const parser = new Parser();
const result = parser.evaluate(expression);Options
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | false | Allow eval in test files |
{
"rules": {
"frontend-security/no-eval": "error"
}
}Common Use Cases and Alternatives
| Use Case | Instead of eval | Use This |
|---|---|---|
| JSON parsing | eval(jsonStr) | JSON.parse(jsonStr) |
| Math expressions | eval(expr) | expr-eval or mathjs |
| Dynamic property | eval('obj.' + prop) | obj[prop] |
| Template rendering | eval(template) | Template literals, Handlebars |
| Config objects | eval(configStr) | JSON.parse() or YAML parser |
Related Rules
no-innerhtml- XSS via innerHTML
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Aliased eval
Why: eval assigned to a variable is not traced.
// ❌ NOT DETECTED - Aliased eval
const execute = eval;
execute(userInput);Mitigation: Never alias eval. Use strict mode.
Indirect eval via window
Why: Window property access may not be detected.
// ❌ NOT DETECTED - Indirect via window
window['eval'](userInput);Mitigation: Avoid dynamic eval invocation.
Dynamic import()
Why: Dynamic import with user input is different but still dangerous.
// ❌ NOT DETECTED - Dynamic import
import(userControlledPath);Mitigation: Validate import paths. Use allowlist.
Web Workers
Why: eval in Worker context may not be recognized.
// ❌ NOT DETECTED - Worker eval
new Worker(`data:,${userCode}`);Mitigation: Review Worker creation patterns.
Resources
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-94 OWASP:A05 CVSS:9.8 | Code Injection detected | CRITICAL [SOC2,PCI-DSS,ISO27001]
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A05_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-94 OWASP:A05 CVSS:9.8 |
| Issue Description | Specific vulnerability | Code Injection detected |
| Severity & Compliance | Impact assessment | CRITICAL [SOC2,PCI-DSS,ISO27001] |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |