The vulnerable Node.js Express application includes an endpoint that evaluates user-submitted mathematical expressions using the eval function. The eval function is inherently dangerous as it can execute arbitrary code, leading to a Remote Code Execution vulnerability. An attacker can exploit this vulnerability by injecting malicious code into the input field, resulting in arbitrary command execution on the server.

The vulnerability is primarily located in the routes/calculator.js file, specifically in the following code segment where user input is evaluated using the eval function:

Navigate to http://localhost:3000 in your browser. Enter the following payload in the input field to demonstrate the vulnerability:
require('child_process').exec('ls', console.log)

This payload will execute the ls command on the server, displaying the contents of the directory.

Vulnerable Code Segment:

The vulnerability is primarily located in the routes/calculator.js file, specifically in the following code segment where user input is evaluated using the eval function:

router.post('/calculate', (req, res) => {
    const expression = req.body.expression;
    try {
        // This is where the vulnerability is introduced
        const result = eval(expression);
        res.sendFile('result.html', { root: 'views' }, (err) => {
            if (err) {
                res.status(500).send(err);
            }
        });
    } catch (error) {
        res.sendFile('error.html', { root: 'views' }, (err) => {
            if (err) {
                res.status(500).send(err);
            }
        });
    }
});

To mitigate this vulnerability, avoid using eval with user inputs. Instead, use a library like mathjs to safely evaluate mathematical expressions without executing arbitrary code.