diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/graph-ql.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/graph-ql.js
new file mode 100644
index 00000000000..e0cd0dd5609
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/graph-ql.js
@@ -0,0 +1,36 @@
+const express = require('express');
+const { graphql, buildSchema } = require('graphql');
+
+const app = express();
+app.use(express.json());
+
+const schema = buildSchema(`
+  type Query {
+    greet(name: String!): String
+    calc(expr: String!): String
+  }
+`);
+
+const root = {
+  greet: ({ name }) => {
+    return `Hello, ${name}!`;
+  },
+  calc: ({ expr }) => {
+    try {
+      return eval(expr).toString(); // $ MISSING: Alert[js/code-injection]
+    } catch (e) {
+      return `Error: ${e.message}`;
+    }
+  }
+};
+
+app.post('/graphql', async (req, res) => {
+  const { query, variables } = req.body; // $ MISSING: Source[js/code-injection]
+  const result = await graphql({
+    schema,
+    source: query,
+    rootValue: root,
+    variableValues: variables
+  });
+  res.json(result);
+});