JavaScript Function Constructor Parse Security

Question

When using the Function constructor in JavaScript, a function object is dynamically created from the given code:

const input = 'return 2 + 3;';   // (1)
const fun = new Function(input); // (2)
const ret = fun();               // (3)

Assuming the input string (1) is arbitrary user input, is it insecure to parse it (2), even if it is never evaluated (3)?

EDIT:

I receive the string (1) directly from user input, e.g. via the web. It is completely unfiltered and I have no way to verify it beyond assuming it is malicious. I am ok putting a try/catch around the Function constructor to prevent syntax error on parse, but I am specifically interested in other security issues (mangling well-known globals, like in https://haacked.com/archive/2009/06/25/json-hijacking.aspx/).

Answer 1

It should be pretty safe. JSON hijacking is a bug that was fixed for exactly this reason.

Parsing it tells you only whether it is syntactically valid, there is no execution of any of the input. However, parsing can be costly in terms of performance, so if an attacker controls the input it might be able to be used to DOS your environment.