Remote Code Execution

If the string being executed as code comes from an untrusted source, however, you are in serious trouble. An attacker may be able to supply code in an HTTP request and execute it on your server. This will allow them to delete files, read sensitive data, install malware, and perform other malicious acts.

malicious-input.js
 let cmd = "fs.rmSync('/'," + '{ recursive: true, ' + '  force: true })';

// This will delete everything
// on the disk. Oops.
eval(cmd);

output.log