OWASP Global AppSec EU 2026 Vienna

The need to isolate untrusted code or user-provided expressions is ubiquitous, even in backend systems, and there are many misconceptions around this practice. Workflow automation platforms allow users to provide complex constraints evaluated on the server, AI agents must securely execute synthesized code, and reused untrusted UI components might render on the server-side. In practice, many developers gravitate toward lightweight eval-based shortcuts instead of robust isolation primitives like OS-level or runtime-based sandboxing, often unaware of the security pitfalls. These dangerous language-features are still very prevalent across OSS ecosystems and they are the culprit of many recent vulnerabilities. While there exist legitimate use cases for eval-like APIs, developers continue to abuse them when attempting to isolate the execution of untrusted code, despite years of warnings from the security and programming language communities. If you really need to use these features, this talk can help you understand what can go wrong and how to mitigate these risks.

I will first motivate the need for lightweight, language-based isolation in scripting languages and highlight the fundamental challenges in this space, grounding the empirical work in several top-tier academic publications I co-authored on the topic. I will then present four misconceptions around language-based sandboxing, underlying more than 20 zero-day vulnerabilities I discovered in the past six months in popular projects across JavaScript and Python, revealing fundamental flaws in isolation approaches. We will examine why built-in isolation primitives like Node.js's vm module and Python's Pysandbox fail to provide adequate security, and explore the real-world consequences through case studies involving major platforms. The talk will then shift to practical solutions, covering best practices and emerging isolation features, including the permission model in modern runtimes like Deno. Attendees will gain a deeper understanding of the isolation landscape and leave with actionable guidance on how to safely handle untrusted code execution in their applications. While this talk is not an endorsement for using eval-like features in scripting languages, it is a guide about the things that work in practice and about the ones that fail spectacularly in production.