Ad Space — Top Banner

EvalError

JavaScript Programming Language

Severity: Minor

What Does This Error Mean?

An EvalError is related to the eval() function in JavaScript. In modern JavaScript, browsers rarely throw this error in practice — it is mostly a legacy error type. If you see it, it usually means the eval() function was used in a way that is not permitted in the current environment.

Affected Models

  • All browsers
  • Node.js
  • Deno
  • Any JavaScript runtime

Common Causes

  • Using eval() in an environment where it is blocked by a Content Security Policy (CSP)
  • Old code that was written when eval() had stricter rules and threw EvalErrors more frequently
  • Manually throwing an EvalError in custom code (rare)
  • Using eval() in strict mode in older JavaScript engines
  • A third-party library internally using eval() in a restricted environment

How to Fix It

  1. Search your code for any use of eval(). If you find it, that is almost certainly the cause.

    In most modern code editors, use Ctrl+F (or Cmd+F on Mac) and search for 'eval(' to find all uses.

  2. Replace eval() with a safer alternative. If you are using it to parse JSON, use JSON.parse() instead.

    JSON.parse(text) is the correct and safe way to turn a JSON string into a JavaScript object.

  3. If eval() is being used to run dynamic code, rethink the approach. Most tasks that seem to need eval() can be solved with functions, objects, or switch statements.

    eval() is considered dangerous because it can run any code — including malicious code injected by attackers.

  4. If the error is caused by a Content Security Policy blocking eval(), check your server headers or meta tags for the CSP policy.

    A CSP with 'unsafe-eval' blocked is actually a security feature protecting your users. Do not simply add 'unsafe-eval' to bypass it.

  5. If the eval() usage is in a third-party library, update the library to a newer version that does not use eval().

    Many older libraries used eval() for convenience. Modern versions have usually removed it.

When to Call a Professional

EvalErrors are rare in modern JavaScript development. The real fix is almost always to stop using eval() entirely — not to work around the error. If you inherited old code that uses eval() heavily, consider getting a code review.

Frequently Asked Questions

Is eval() dangerous?

Yes — eval() is widely considered one of the most dangerous functions in JavaScript. It executes whatever string you pass it as real code. If any user input ever makes it into an eval() call, an attacker could run malicious code on your users' machines. The rule in modern JavaScript is: never use eval().

Why does EvalError almost never appear in modern code?

When JavaScript was being designed, the spec included EvalError for when eval() was misused. But as the language evolved, most browsers stopped throwing it in normal situations. It is kept in the language for backwards compatibility and for developers who want to manually throw it in their own error handling systems.

What should I use instead of eval() for parsing JSON?

Always use JSON.parse() to convert a JSON string into a JavaScript object. It is safe, fast, and built into every JavaScript environment. JSON.parse() will throw a SyntaxError if the string is not valid JSON, which you can catch with a try/catch block.

Related Error Codes

SyntaxError JavaScript SyntaxError — Code Cannot Be Parsed TypeError JavaScript TypeError — Wrong Type Used ReferenceError JavaScript ReferenceError — Variable Not Defined