Windsurf Generated Code Using eval() or Function Constructor
Windsurf's Cascade assistant generated JavaScript or TypeScript code that uses eval(), new Function(), or setTimeout/setInterval with string arguments to dynamically execute code. These patterns create severe code injection vulnerabilities that allow attackers to run arbitrary code in your application.
This typically happens when Cascade generates code to parse user input, build dynamic queries, process configuration files, or create flexible template systems. The generated code works correctly but introduces a critical attack surface.
You might discover this during a security audit, when a linter flags eval usage, or when a code review catches the pattern. If deployed to production, any user-controlled input reaching these eval calls could be exploited.
Error Messages You Might See
Common Causes
- Dynamic JSON parsing with eval — Cascade used eval() to parse JSON instead of JSON.parse(), often when handling API responses with complex structures
- String-based computed properties — Generated code uses eval to dynamically access nested object properties instead of bracket notation or lodash.get
- Template string execution — Cascade built a template engine using new Function() to interpolate variables into strings
- Dynamic import construction — Code constructs module import paths using eval rather than dynamic import() expressions
- Math expression evaluation — A calculator or formula feature uses eval() to compute user-entered expressions
How to Fix It
- Search your codebase for eval patterns — Run grep -rn 'eval\|new Function\|setTimeout.*"\|setInterval.*"' src/ to find all instances
- Replace eval(JSON) with JSON.parse() — Every eval() call parsing JSON can be safely replaced with JSON.parse() wrapped in try-catch
- Use bracket notation for dynamic properties — Replace eval('obj.' + path) with a safe property accessor function that splits the path and walks the object
- Install a math expression parser — Replace eval() for math with a safe library like mathjs or expr-eval that only allows mathematical operations
- Add ESLint no-eval rule — Add 'no-eval': 'error' and 'no-new-func': 'error' to your ESLint config to prevent future occurrences
- Implement Content-Security-Policy — Add a CSP header with script-src that excludes 'unsafe-eval' to block eval at the browser level
Real developers can help you.
Richard McSorley
Full-Stack Software Engineer with 8+ years building high-performance applications for enterprise clients. Shipped production systems at Walmart (4,000+ stores), Cigna (20M+ users), and Arkansas Blue Cross. 5 patents in retail/supply chain tech. Currently focused on AI integrations, automation tools, and TypeScript-first architectures.
BurnHavoc
Been around fixing other peoples code for 20 years.
Jen Jacobsen
I’m a Full-Stack Developer with over 10 years of experience building modern web and mobile applications. I enjoy working across the full product lifecycle — turning ideas into real, well-built products that are intuitive for users and scalable for businesses.
I particularly enjoy building mobile apps, modern web platforms, and solving complex technical problems in a way that keeps systems clean, reliable, and easy to maintain.
zipking
I am a technologist and product builder dedicated to creating high-impact solutions at the intersection of AI and specialized markets. Currently, I am focused on PropScan (EstateGuard), an AI-driven SaaS platform tailored for the Japanese real estate industry, and exploring the potential of Archify.
As an INFJ-T, I approach development with a "systems-thinking" mindset—balancing technical precision with a deep understanding of user needs. I particularly enjoy the challenge of architecting Vertical AI SaaS and optimizing Small Language Models (SLMs) to solve specific, real-world business problems. Whether I'm in a CTO-level leadership role or hands-on with the code, I thrive on building tools that turn complex data into actionable value.
Pratik
SWE with 15+ years of experience building and maintaining web apps and extensive BE infrastructure
Bastien Labelle
Full stack dev w/ 20+ years of experience
Victor Denisov
Developer
Prakash Prajapati
I’m a Senior Python Developer specializing in building secure, scalable, and highly available systems. I work primarily with Python, Django, FastAPI, Docker, PostgreSQL, and modern AI tooling such as PydanticAI, focusing on clean architecture, strong design principles, and reliable DevOps practices. I enjoy solving complex engineering problems and designing systems that are maintainable, resilient, and built to scale.
Daniel Vázquez
Software Engineer with over 10 years of experience on Startups, Government, big tech industry & consulting.
Luca Liberati
I work on monoliths and microservices, backends and frontends, manage K8s clusters and love to design apps architecture
You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.
Get HelpFrequently Asked Questions
Why is eval() dangerous even if it works correctly?
eval() executes any string as code. If an attacker can influence the string (through URL parameters, form inputs, database values), they can run arbitrary JavaScript — stealing cookies, accessing APIs, or modifying your page.
Is JSON.parse() always a safe replacement for eval()?
For parsing JSON data, yes. JSON.parse() only parses valid JSON and cannot execute code. Wrap it in try-catch to handle malformed input gracefully.