Critical Code Injection Vulnerability in arubis/nodegoat-vulnerability-demo: eval() on User Input at Line 32

A critical security flaw has been identified in the `arubis/nodegoat-vulnerability-demo` repository, exposing the application to remote code execution. The vulnerability, classified as CWE-94 (Improper Control of Generation of Code), resides in the `app/routes/contributions.js` file. On line 32, the code directly passes user-controlled input from `req.body.preTax` to the `eval()` function. This dangerous practice allows an attacker to inject and execute arbitrary JavaScript code on the server, potentially leading to full system compromise, data theft, or further network infiltration.

The finding was automatically generated by the RSOLV security scanner with 80% confidence and is mapped to the OWASP Top 10 2021 category A03: Injection. The vulnerable code snippet is stark: `const preTax = eval(req.body.preTax);`. This line represents a textbook example of an injection vulnerability where unsanitized external input is fed directly into a powerful code execution engine. The repository's `main` branch was scanned on April 12, 2026, confirming the active presence of this high-severity issue.

This vulnerability places the entire application and its underlying infrastructure at immediate risk. The use of `eval()` on user input is a severe architectural anti-pattern that bypasses all standard security boundaries. The scanner's recommendation is unequivocal: eliminate `eval()` and replace it with safe alternatives like `JSON.parse()` for data parsing. If dynamic code execution is an absolute requirement, implementation must shift to a strictly sandboxed environment coupled with rigorous input validation. Failure to remediate this finding leaves a wide-open door for attackers.